# HG changeset patch # User Will Fiveash # Date 1456332237 21600 # Node ID 9bf0bc57423a47834b324aa0291c6159825c5314 # Parent a5031bb8b66d8a0f84cf2ed2527bd49cd1d98db2 PSARC/2015/144 Kerberos 1.13 Delivery to Userland 19153034 Add MIT Kerberos to the Userland Consolidation diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Makefile --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Makefile Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,201 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. +# + +include ../../make-rules/shared-macros.mk + +COMPONENT_NAME= Kerberos +COMPONENT_MINOR= 1.13 +COMPONENT_VERSION= 1.13.3 +COMPONENT_PROJECT_URL= http://web.mit.edu/kerberos/ +COMPONENT_SRC= krb5-$(COMPONENT_VERSION) +COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz +COMPONENT_ARCHIVE_HASH= \ + sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe +COMPONENT_ARCHIVE_URL= \ + $(COMPONENT_PROJECT_URL)dist/krb5/$(COMPONENT_MINOR)/$(COMPONENT_ARCHIVE) +COMPONENT_BUGDB= utility/kerberos + +TPNO= 26018 + +include $(WS_MAKE_RULES)/prep.mk +include $(WS_MAKE_RULES)/configure.mk +include $(WS_MAKE_RULES)/ips.mk + +# Encoding rules for IPS: MIT KerberosV5 .[.] => IPS ..[|0].0 +IPS_COMPONENT_VERSION= 1.13.3.0 + +# The configure script is not at the top of the source directory. +CONFIGURE_SCRIPT= $(SOURCE_DIR)/src/configure + +# We need to enable large file support and build PIC for our shared libraries +CFLAGS += $(CPP_LARGEFILES) $(CC_PIC) + +# Include openldap headers instead of obsolete mozilla ldap headers. +CPPFLAGS += -I$(USRINCDIR)/openldap + +# Temporary solution until we can fix this upstream with MIT, which currently +# depends on implicit binding of libc. Here we explicitly link with libc to +# satisfy this dependency. +# If you make changes to LDFLAGS, check krb5-config and 052-krb5-config.patch. +LDFLAGS += -lc -z defs + +CONFIGURE_ENV += LDFLAGS="$(LDFLAGS)" +CONFIGURE_ENV += CFLAGS="$(CFLAGS)" +CONFIGURE_ENV += CXXFLAGS="$(CXXFLAGS)" +CONFIGURE_ENV += CPPFLAGS="$(CPPFLAGS)" +CONFIGURE_ENV += PKG_CONFIG_PATH="$(PKG_CONFIG_PATH)" +CONFIGURE_ENV += DEFKTNAME="FILE:$(ETCDIR)/krb5/krb5.keytab" +CONFIGURE_ENV += DEFCKTNAME="FILE:/var/user/%{username}/client.keytab" + +# Other CONFIGURE_OPTIONS assignments coming from make-rules/configure.mk +CONFIGURE_OPTIONS += --sysconfdir=$(ETCDIR) +CONFIGURE_OPTIONS += --localstatedir=/var +CONFIGURE_OPTIONS.32 += --libexecdir=$(USRLIBDIR) +CONFIGURE_OPTIONS.64 += --libexecdir=$(USRLIBDIR)/$(MACH64) +CONFIGURE_OPTIONS += --includedir=$(USRINCDIR)/kerberosv5 +# to avoid executing subprocesses from /usr/[s]bin/$(MACH64): +CONFIGURE_OPTIONS += --bindir=$(USRBINDIR) +CONFIGURE_OPTIONS += --sbindir=$(USRSBINDIR) +CONFIGURE_OPTIONS += --with-crypto-impl=openssl +CONFIGURE_OPTIONS += --with-ldap +CONFIGURE_OPTIONS += --with-prng-alg=os +CONFIGURE_OPTIONS += --with-tcl=$(USRDIR) +CONFIGURE_OPTIONS += --without-system-verto + +COMPONENT_PRE_CONFIGURE_ACTION = \ + cd $(SOURCE_DIR)/src/ && $(SOURCE_DIR)/src/util/reconf + +PROTOULD = $(PROTOUSRLIBDIR) + +COMPONENT_TEST_ARGS += LD_LIBRARY_PATH="$(PROTOULD):$(PROTOULD)/$(MACH64):" + +# MIT's test suite is not well suited for master results processing/filtering +# but since the test implementation will return failure to the uland build, +# this is good enough. The following disables master results processing. +COMPONENT_TEST_CREATE_TRANSFORMS= +COMPONENT_TEST_PERFORM_TRANSFORM= +COMPONENT_TEST_COMPARE= + +# We don't ship Solaris specific files as patches to ease maintenance. +# We rather copy the files to the right directories. +COMPONENT_PREP_ACTION= \ + $(CP) Solaris/getuid.c $(SOURCE_DIR)/src/lib/krb5/os/; \ + $(CP) Solaris/g_utils.c $(SOURCE_DIR)/src/lib/gssapi/mechglue/; \ + $(CP) Solaris/kadm_host_srv_names.c $(SOURCE_DIR)/src/lib/kadm5/; \ + $(CP) Solaris/kt_findrealm.c $(SOURCE_DIR)/src/lib/krb5/keytab/; \ + $(CP) Solaris/kt_solaris.c $(SOURCE_DIR)/src/lib/krb5/keytab/; \ + $(CP) Solaris/kt_solaris.h $(SOURCE_DIR)/src/lib/krb5/keytab/; \ + $(CP) Solaris/libgss_stubs.c $(SOURCE_DIR)/src/lib/gssapi/mechglue/; \ + $(CP) Solaris/missing_interfaces.c $(SOURCE_DIR)/src/lib/krb5/; \ + $(CP) Solaris/privacy_allowed.c $(SOURCE_DIR)/src/lib/krb5/; \ + $(CP) Solaris/prof_solaris.c $(SOURCE_DIR)/src/lib/krb5/; \ + $(CP) Solaris/prof_solaris.h $(SOURCE_DIR)/src/lib/krb5/; \ + $(CP) Solaris/rc_mem.c $(SOURCE_DIR)/src/lib/krb5/rcache; \ + $(CP) Solaris/rc_mem.h $(SOURCE_DIR)/src/lib/krb5/rcache; \ + $(CP) Solaris/safechown.c $(SOURCE_DIR)/src/lib/krb5/os; \ + $(CP) Solaris/util_ordering.c $(SOURCE_DIR)/src/lib/gssapi/generic + +# We move xdr_alloc.c and supporting dyn code from libgssrpc directly +# into libkadm5srv_mit. kadmind is the only consumer anyway. +SRCLIB=$(SOURCE_DIR)/src/lib +COMPONENT_PREP_ACTION += ;\ + $(CP) $(SRCLIB)/rpc/xdr_alloc.c $(SRCLIB)/kadm5/srv/; \ + $(CP) $(SRCLIB)/rpc/dyn.c $(SRCLIB)/kadm5/srv/; \ + $(CP) $(SRCLIB)/rpc/dyn.h $(SRCLIB)/kadm5/srv/; \ + $(CP) $(SRCLIB)/rpc/dynP.h $(SRCLIB)/kadm5/srv/; \ + $(CP) $(SRCLIB)/rpc/dyntest.c $(SRCLIB)/kadm5/srv/; \ + +# Common flags used to create the filter libs below +FILTLIBFLAGS = -G -Bdirect -z defs -z text + +$(BUILD_32): COMPONENT_POST_BUILD_ACTION= \ + $(CC) -o $(BUILD_DIR)/$(MACH32)/lib/libgss.so.1 \ + -hlibgss.so.1 $(FILTLIBFLAGS) -lc \ + -M$(COMPONENT_DIR)/Solaris/libgss.mapfile-vers \ + -R$(USRLIBDIR)/krb5 \ + -z discard-unused=dependencies \ + -L $(BUILD_DIR)/$(MACH32)/lib -lkrb5support \ + $(BUILD_DIR)/$(MACH32)/lib/gssapi/mechglue/libgss_stubs.o && \ + $(CC) -o $(BUILD_DIR)/$(MACH32)/lib/libkrb5.so.1 \ + -hlibkrb5.so.1 $(FILTLIBFLAGS) \ + -M$(COMPONENT_DIR)/Solaris/libkrb5.mapfile-vers \ + $(BUILD_DIR)/$(MACH32)/lib/krb5/missing_interfaces.o \ + $(BUILD_DIR)/$(MACH32)/lib/krb5/privacy_allowed.o && \ + $(LD) -o $(BUILD_DIR)/$(MACH32)/lib/libkadm5clnt.so.1 \ + -hlibkadm5clnt.so.1 $(FILTLIBFLAGS) \ + -M$(COMPONENT_DIR)/Solaris/libkadm5clnt.mapfile-vers; + +$(BUILD_64): COMPONENT_POST_BUILD_ACTION= \ + $(CC) -m64 -o $(BUILD_DIR)/$(MACH64)/lib/libgss.so.1 \ + -hlibgss.so.1 $(FILTLIBFLAGS) -lc \ + -M$(COMPONENT_DIR)/Solaris/libgss.mapfile-vers \ + -R$(USRLIBDIR)/krb5/$(MACH64) \ + -z discard-unused=dependencies \ + -L $(BUILD_DIR)/$(MACH64)/lib -lkrb5support \ + $(BUILD_DIR)/$(MACH64)/lib/gssapi/mechglue/libgss_stubs.o && \ + $(CC) -m64 -o $(BUILD_DIR)/$(MACH64)/lib/libkrb5.so.1 \ + -hlibkrb5.so.1 $(FILTLIBFLAGS) \ + -M$(COMPONENT_DIR)/Solaris/libkrb5.mapfile-vers \ + $(BUILD_DIR)/$(MACH64)/lib/krb5/missing_interfaces.o \ + $(BUILD_DIR)/$(MACH64)/lib/krb5/privacy_allowed.o && \ + $(LD) -m64 -o $(BUILD_DIR)/$(MACH64)/lib/libkadm5clnt.so.1 \ + -hlibkadm5clnt.so.1 $(FILTLIBFLAGS) \ + -M$(COMPONENT_DIR)/Solaris/libkadm5clnt.mapfile-vers; + +$(INSTALL_32): COMPONENT_POST_INSTALL_ACTION= \ + $(CP) $(BUILD_DIR)/$(MACH32)/lib/libgss.so.1 \ + $(PROTO_DIR)$(USRLIBDIR); \ + $(CP) $(BUILD_DIR)/$(MACH32)/lib/libkrb5.so.1 \ + $(PROTO_DIR)$(USRLIBDIR); \ + $(CP) $(BUILD_DIR)/$(MACH32)/lib/libkadm5clnt.so.1 \ + $(PROTO_DIR)$(USRLIBDIR); + +$(INSTALL_64): COMPONENT_POST_INSTALL_ACTION= \ + $(MKDIR) -p $(PROTO_DIR)$(USRLIBDIR)/$(MACH64); \ + $(CP) $(BUILD_DIR)/$(MACH64)/lib/libgss.so.1 \ + $(PROTO_DIR)$(USRLIBDIR)/$(MACH64); \ + $(CP) $(BUILD_DIR)/$(MACH64)/lib/libkrb5.so.1 \ + $(PROTO_DIR)$(USRLIBDIR)/$(MACH64); \ + $(CP) $(BUILD_DIR)/$(MACH64)/lib/libkadm5clnt.so.1 \ + $(PROTO_DIR)$(USRLIBDIR)/$(MACH64); + +ASLR_MODE = $(ASLR_ENABLE) + +# common targets +build: $(BUILD_32_and_64) + +install: $(INSTALL_32_and_64) + +# build does this always +test: $(TEST_32_and_64) + +REQUIRED_PACKAGES += developer/test/dejagnu +REQUIRED_PACKAGES += library/libedit +REQUIRED_PACKAGES += library/openldap +REQUIRED_PACKAGES += library/security/openssl +REQUIRED_PACKAGES += service/security/kerberos-5 +REQUIRED_PACKAGES += shell/ksh93 +REQUIRED_PACKAGES += system/library +REQUIRED_PACKAGES += system/library/math +REQUIRED_PACKAGES += system/library/security/gss + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/g_utils.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/g_utils.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,246 @@ +/* + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. + */ + +#include "mglueP.h" +#include "gssapiP_krb5.h" + +#include +#include +#include +#include +#include +#include +#include +/* +#include +#include +*/ +#include + +#define Q_DEFAULT "default" +#define BUFLEN 256 + +static int qop_num_pair_cnt; +static const char QOP_NUM_FILE[] = "/etc/gss/qop"; +static qop_num qop_num_pairs[MAX_QOP_NUM_PAIRS+1]; +static mutex_t qopfile_lock = DEFAULTMUTEX; + +static OM_uint32 __gss_read_qop_file(void); + +/* + * This routine fetches qop and num from "/etc/gss/qop". + * There is a memory leak associated with rereading this file, + * because we can't free the qop_num_pairs array when we reread + * the file (some callers may have been given these pointers). + * In general, this memory leak should be a small one, because + * we don't expect the qop file to be changed and reread often. + */ +static OM_uint32 +__gss_read_qop_file(void) +{ + char buf[BUFLEN]; /* one line from the file */ + char *name, *next; + char *qopname, *num_str; + char *line; + FILE *fp; + static int last = 0; + struct stat stbuf; + OM_uint32 major = GSS_S_COMPLETE; + + (void) mutex_lock(&qopfile_lock); + if (stat(QOP_NUM_FILE, &stbuf) != 0 || stbuf.st_mtime < last) { + if (!qop_num_pairs[0].qop) { + major = GSS_S_FAILURE; + } + goto done; + } + last = stbuf.st_mtime; + + fp = fopen(QOP_NUM_FILE, "rF"); + if (fp == (FILE *)0) { + major = GSS_S_FAILURE; + goto done; + } + + /* + * For each line in the file parse it appropriately. + * File format : qopname num(int) + * Note that we silently ignore corrupt entries. + */ + qop_num_pair_cnt = 0; + while (!feof(fp)) { + line = fgets(buf, BUFLEN, fp); + if (line == NULL) + break; + + /* Skip comments and blank lines */ + if ((*line == '#') || (*line == '\n')) + continue; + + /* Skip trailing comments */ + next = strchr(line, '#'); + if (next) + *next = '\0'; + + name = &(buf[0]); + while (isspace(*name)) + name++; + if (*name == '\0') /* blank line */ + continue; + + qopname = name; /* will contain qop name */ + while (!isspace(*qopname)) + qopname++; + if (*qopname == '\0') { + continue; + } + next = qopname+1; + *qopname = '\0'; /* null terminate qopname */ + qop_num_pairs[qop_num_pair_cnt].qop = strdup(name); + if (qop_num_pairs[qop_num_pair_cnt].qop == NULL) + continue; + + name = next; + while (isspace(*name)) + name++; + if (*name == '\0') { /* end of line, no num */ + free(qop_num_pairs[qop_num_pair_cnt].qop); + continue; + } + num_str = name; /* will contain num (n) */ + while (!isspace(*num_str)) + num_str++; + next = num_str+1; + *num_str++ = '\0'; /* null terminate num_str */ + + qop_num_pairs[qop_num_pair_cnt].num = (OM_uint32)atoi(name); + name = next; + while (isspace(*name)) + name++; + if (*name == '\0') { /* end of line, no mechanism */ + free(qop_num_pairs[qop_num_pair_cnt].qop); + continue; + } + num_str = name; /* will contain mech */ + while (!isspace(*num_str)) + num_str++; + *num_str = '\0'; + + qop_num_pairs[qop_num_pair_cnt].mech = strdup(name); + if (qop_num_pairs[qop_num_pair_cnt].mech == NULL) { + free(qop_num_pairs[qop_num_pair_cnt].qop); + continue; + } + + if (qop_num_pair_cnt++ >= MAX_QOP_NUM_PAIRS) + break; + } + (void) fclose(fp); +done: + (void) mutex_unlock(&qopfile_lock); + return (major); +} + +OM_uint32 +gssint_qop_to_num( + char *qop, + char *mech, + OM_uint32 *num +) +{ + int i; + OM_uint32 major = GSS_S_FAILURE; + + if (!num) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + + if (qop == NULL || strlen(qop) == 0 || + strcasecmp(qop, Q_DEFAULT) == 0) { + *num = GSS_C_QOP_DEFAULT; + return (GSS_S_COMPLETE); + } + + if ((major = __gss_read_qop_file()) != GSS_S_COMPLETE) + return (major); + + for (i = 0; i < qop_num_pair_cnt; i++) { + if ((strcasecmp(mech, qop_num_pairs[i].mech) == 0) && + (strcasecmp(qop, qop_num_pairs[i].qop) == 0)) { + *num = qop_num_pairs[i].num; + return (GSS_S_COMPLETE); + } + } + + return (GSS_S_FAILURE); +} + +OM_uint32 +gssint_num_to_qop( + char *mech, + OM_uint32 num, + char **qop +) +{ + int i; + OM_uint32 major; + + if (!qop) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + *qop = NULL; + + if (num == GSS_C_QOP_DEFAULT) { + *qop = Q_DEFAULT; + return (GSS_S_COMPLETE); + } + + if (mech == NULL) + return (GSS_S_CALL_INACCESSIBLE_READ); + + if ((major = __gss_read_qop_file()) != GSS_S_COMPLETE) + return (major); + + for (i = 0; i < qop_num_pair_cnt; i++) { + if ((strcasecmp(mech, qop_num_pairs[i].mech) == 0) && + (num == qop_num_pairs[i].num)) { + *qop = qop_num_pairs[i].qop; + return (GSS_S_COMPLETE); + } + } + return (GSS_S_FAILURE); +} + +/* + * For a given mechanism pass back qop information about it in a buffer + * of size MAX_QOPS_PER_MECH+1. + */ +OM_uint32 +gssint_get_mech_info( + char *mech, + char **qops +) +{ + int i, cnt = 0; + OM_uint32 major = GSS_S_COMPLETE; + + if (!qops) + return (GSS_S_CALL_INACCESSIBLE_WRITE); + *qops = NULL; + + if (!mech) + return (GSS_S_CALL_INACCESSIBLE_READ); + + if ((major = __gss_read_qop_file()) != GSS_S_COMPLETE) + return (major); + + for (i = 0; i < qop_num_pair_cnt; i++) { + if (strcmp(mech, qop_num_pairs[i].mech) == 0) { + if (cnt >= MAX_QOPS_PER_MECH) { + return (GSS_S_FAILURE); + } + qops[cnt++] = qop_num_pairs[i].qop; + } + } + qops[cnt] = NULL; + return (GSS_S_COMPLETE); +} diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/getuid.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/getuid.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +#include +#include +#include +#include "k5-int.h" + +#define KRB5_UID "app_krb5_user_uid" + +/* + * mech_krb5 makes various calls to getuid(). When employed by gssd(1M) and + * ktkt_warnd(1M), app_krb5_user_uid() is used to select a given user's + * credential cache, rather than the id of the process. + */ +uid_t +krb5_getuid() +{ + static uid_t (*gptr)() = NULL; + void *handle; + + if (gptr == NULL) { + /* + * Specifically look for app_krb5_user_uid() in the application, + * and don't fall into an exhaustive search through all of the + * process dependencies. This interface is suplied from + * gssd(1M) and ktkt_warnd(1M). + */ + if (((handle = dlopen(0, (RTLD_LAZY | RTLD_FIRST))) == NULL) || + ((gptr = (uid_t (*)())dlsym(handle, KRB5_UID)) == NULL)) { + /* + * Fall back to the default getuid(), which is probably + * libc. + */ + gptr = &getuid; + } + } + + /* + * Return the appropriate uid. Note, if a default getuid() couldn't + * be found, the getuid assignment would have failed to relocate, and + * hence this module would fail to load. + */ + return ((*gptr)()); +} diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/kadm5.acl --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/kadm5.acl Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,24 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. +# + +*/admin@___default_realm___ * diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/kadm_host_srv_names.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/kadm_host_srv_names.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,245 @@ +/* + * CDDL HEADER START + * + * The contents of this file are subject to the terms of the + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. + * + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + * or http://www.opensolaris.org/os/licensing. + * See the License for the specific language governing permissions + * and limitations under the License. + * + * When distributing Covered Code, include this CDDL HEADER in each + * file and include the License file at usr/src/OPENSOLARIS.LICENSE. + * If applicable, add the following below this CDDL HEADER, with the + * fields enclosed by brackets "[]" replaced with your own identifying + * information: Portions Copyright [yyyy] [name of copyright owner] + * + * CDDL HEADER END + */ +/* + * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* + * lib/kad5/kadm_host_srv_names.c + */ + +#include +#include "admin.h" +#include +#include "fake-addrinfo.h" +/* HACK!!! need struct serverlist*/ +#include "../krb5/os/os-proto.h" + +/* HACK!!! */ +#define KADM5_ADMIN_HOST_SERVICE "kadmin" +#define KADM5_CHANGEPW_HOST_SERVICE "changepw" + +extern krb5_error_code +k5_locate_kadmin(krb5_context context, const krb5_data *realm, + struct serverlist *serverlist); + +extern krb5_error_code +locate_kpasswd(krb5_context context, const krb5_data *realm, + struct serverlist *serverlist, krb5_boolean no_udp); + +/* + * Find the admin server for the given realm. If the realm is null or + * the empty string, find the admin server for the default realm. + * Returns 0 on succsess (KADM5_OK). It is the callers responsibility to + * free the storage allocated to the admin server, master. + */ +kadm5_ret_t +kadm5_get_master(krb5_context context, const char *realm, char **master) +{ + kadm5_ret_t ret = KADM5_OK; + char *def_realm = NULL; + krb5_error_code code; + struct serverlist serverlist = SERVERLIST_INIT; + struct server_entry *entry; + krb5_data krealm; + + if (realm == 0 || *realm == '\0') + krb5_get_default_realm(context, &def_realm); + + krealm = string2data(def_realm ? def_realm : (char *) realm); + + code = k5_locate_server(context, &krealm, &serverlist, + locate_service_kadmin, TRUE); + if (code == 0) { + entry = &serverlist.servers[0]; + *master = strdup(entry->hostname); + if (*master == NULL) + ret = ENOMEM; + } else + ret = KADM5_NO_SRV; + + if (def_realm != NULL) + krb5_free_default_realm(context, def_realm); + + k5_free_serverlist(&serverlist); + + return (ret); +} + +void +free_srv_names(char **srv_names) +{ + int i; + + if (srv_names == NULL) + return; + + for (i = 0; srv_names[i] != NULL; i++) { + free(srv_names[i]); + } + + free(srv_names); +} + +/* + * Get the host base service name for the admin principal. Returns + * KADM5_OK on success. Caller must call free_srv_names() on + * host_service_names. + */ +kadm5_ret_t +kadm5_get_adm_host_srv_names(krb5_context context, + const char *realm, char ***host_service_names) +{ + kadm5_ret_t ret; + char **tmp_srv_names; + struct serverlist sl = SERVERLIST_INIT; + int i; + krb5_data realm_data; + + /* get list of admin servers */ + if (realm == NULL) + return (EINVAL); + realm_data.magic = KV5M_DATA; + realm_data.data = (char *) realm; + realm_data.length = strlen(realm); + if (ret = k5_locate_kadmin(context, (const krb5_data *) &realm_data, &sl)) + return (ret); + + /* + 1 for array terminator */ + tmp_srv_names = calloc(sl.nservers + 1, sizeof (char *)); + if (tmp_srv_names == NULL) { + k5_free_serverlist(&sl); + return (ENOMEM); + } + + for (i = 0; i < sl.nservers; i++) { + tmp_srv_names[i] = malloc(strlen(KADM5_ADMIN_HOST_SERVICE) + + strlen(sl.servers[i].hostname) + 2); + if (tmp_srv_names[i] == NULL) { + free_srv_names(tmp_srv_names); + k5_free_serverlist(&sl); + return (ENOMEM); + } + sprintf(tmp_srv_names[i], "%s@%s", KADM5_ADMIN_HOST_SERVICE, + sl.servers[i].hostname); + } + + k5_free_serverlist(&sl); + *host_service_names = tmp_srv_names; + return (KADM5_OK); +} + +/* + * Get the host base service name for the changepw principal. Returns + * KADM5_OK on success. Caller must call free_srv_names() on + * host_service_names. + */ +kadm5_ret_t +kadm5_get_cpw_host_srv_names(krb5_context context, + const char *realm, char ***host_service_names) +{ + kadm5_ret_t ret; + char **tmp_srv_names; + struct serverlist sl = SERVERLIST_INIT; + int i; + krb5_data realm_data; + + /* get list of admin servers */ + if (realm == NULL) + return (EINVAL); + realm_data.magic = KV5M_DATA; + realm_data.data = (char *) realm; + realm_data.length = strlen(realm); + if (ret = locate_kpasswd(context, (const krb5_data *) &realm_data, &sl, 0)) + return (ret); + + /* + 1 for array terminator */ + tmp_srv_names = calloc(sl.nservers + 1, sizeof (char *)); + if (tmp_srv_names == NULL) { + k5_free_serverlist(&sl); + return (ENOMEM); + } + + for (i = 0; i < sl.nservers; i++) { + tmp_srv_names[i] = malloc(strlen(KADM5_CHANGEPW_HOST_SERVICE) + + strlen(sl.servers[i].hostname) + 2); + if (tmp_srv_names[i] == NULL) { + free_srv_names(tmp_srv_names); + k5_free_serverlist(&sl); + return (ENOMEM); + } + sprintf(tmp_srv_names[i], "%s@%s", KADM5_CHANGEPW_HOST_SERVICE, + sl.servers[i].hostname); + } + + k5_free_serverlist(&sl); + *host_service_names = tmp_srv_names; + return (KADM5_OK); +} + +/* + * Get the host base service name for the kiprop principal. Returns + * KADM5_OK on success. Caller must free the storage allocated + * for host_service_name. + */ +kadm5_ret_t +kadm5_get_kiprop_host_srv_names(krb5_context context, + const char *realm, + char ***host_service_names) +{ + kadm5_ret_t ret; + char **tmp_srv_names; + struct serverlist sl = SERVERLIST_INIT; + int i; + krb5_data realm_data; + + /* get list of admin servers */ + if (realm == NULL) + return (EINVAL); + realm_data.magic = KV5M_DATA; + realm_data.data = (char *) realm; + realm_data.length = strlen(realm); + if (ret = k5_locate_kadmin(context, (const krb5_data *) &realm_data, &sl)) + return (ret); + + /* + 1 for array terminator */ + tmp_srv_names = calloc(sl.nservers + 1, sizeof (char *)); + if (tmp_srv_names == NULL) { + k5_free_serverlist(&sl); + return (ENOMEM); + } + + for (i = 0; i < sl.nservers; i++) { + tmp_srv_names[i] = malloc(strlen(KADM5_KIPROP_HOST_SERVICE) + + strlen(sl.servers[i].hostname) + 2); + if (tmp_srv_names[i] == NULL) { + free_srv_names(tmp_srv_names); + k5_free_serverlist(&sl); + return (ENOMEM); + } + sprintf(tmp_srv_names[i], "%s@%s", KADM5_KIPROP_HOST_SERVICE, + sl.servers[i].hostname); + } + + k5_free_serverlist(&sl); + *host_service_names = tmp_srv_names; + return (KADM5_OK); +} diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/kadmin.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/kadmin.xml Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,95 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/kdc.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/kdc.conf Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,37 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# +# Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved. +# + +[kdcdefaults] + kdc_ports = 88,750 + +[realms] + ___default_realm___ = { + profile = /etc/krb5/krb5.conf + database_name = /var/krb5/principal + acl_file = /etc/krb5/kadm5.acl + kadmind_port = 749 + max_life = 8h 0m 0s + max_renewable_life = 7d 0h 0m 0s + default_principal_flags = +preauth + } diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/kpropd.acl --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/kpropd.acl Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,23 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. +# + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/krb5.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/krb5.conf Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,66 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# +# Copyright (c) 2007, Oracle and/or its affiliates. All rights reserved. +# + +# krb5.conf template +# In order to complete this configuration file +# you will need to replace the ____ placeholders +# with appropriate values for your network and uncomment the +# appropriate entries. +# +[libdefaults] +# default_realm = ___default_realm___ + +[realms] +# ___default_realm___ = { +# kdc = ___master_kdc___ +# kdc = ___slave_kdc1___ +# kdc = ___slave_kdc2___ +# kdc = ___slave_kdcN___ +# admin_server = ___master_kdc___ +# } + +[domain_realm] +# ___domainname___ = ___default_realm___ + +[logging] + default = FILE:/var/krb5/kdc.log + kdc = FILE:/var/krb5/kdc.log + kdc_rotate = { + +# How often to rotate kdc.log. Logs will get rotated no more +# often than the period, and less often if the KDC is not used +# frequently. + + period = 1d + +# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...) + + versions = 10 + } + +[appdefaults] + kinit = { + renewable = true + forwardable= true + } diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/krb5_prop.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/krb5_prop.xml Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,95 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/krb5kdc.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/krb5kdc.xml Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,88 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/kt_findrealm.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/kt_findrealm.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,65 @@ +/* + * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved. + */ +/* + * Solaris Kerberos: + * Iterate through a keytab (keytab) looking for an entry which matches + * the components of a principal (princ) but match on any realm. When a + * suitable entry is found return the entry's realm. + */ + +#include "k5-int.h" + +krb5_error_code krb5_kt_find_realm(krb5_context context, krb5_keytab keytab, + krb5_principal princ, krb5_data *realm) { + + krb5_kt_cursor cur; + krb5_keytab_entry ent; + krb5_boolean match; + krb5_data tmp_realm; + krb5_error_code ret, ret2; + + ret = krb5_kt_start_seq_get(context, keytab, &cur); + if (ret != 0) { + return (ret); + } + + while ((ret = krb5_kt_next_entry(context, keytab, &ent, &cur)) == 0) { + /* For the comparison the realms should be the same. */ + memcpy(&tmp_realm, &ent.principal->realm, sizeof (krb5_data)); + memcpy(&ent.principal->realm, &princ->realm, + sizeof (krb5_data)); + + match = krb5_principal_compare(context, ent.principal, princ); + + /* Copy the realm back */ + memcpy(&ent.principal->realm, &tmp_realm, sizeof (krb5_data)); + + if (match) { + /* + * A suitable entry was found in the keytab. + * Copy its realm + */ + ret = krb5int_copy_data_contents(context, + &ent.principal->realm, realm); + if (ret) { + krb5_kt_free_entry(context, &ent); + krb5_kt_end_seq_get(context, keytab, &cur); + return (ret); + } + + krb5_kt_free_entry(context, &ent); + break; + } + + krb5_kt_free_entry(context, &ent); + } + + ret2 = krb5_kt_end_seq_get(context, keytab, &cur); + + if (ret == KRB5_KT_END) { + return (KRB5_KT_NOTFOUND); + } + + return (ret ? ret : ret2); +} diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/kt_solaris.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/kt_solaris.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,496 @@ +/* + * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* + * kt_solaris.c is to provide set of keytab interfaces contracted with SMB team. + */ + +#include "k5-int.h" +#include +#include +#include +#include +#include +#include +#include "kt_solaris.h" + +#define AES128 ENCTYPE_AES128_CTS_HMAC_SHA1_96 +#define AES256 ENCTYPE_AES256_CTS_HMAC_SHA1_96 +#define DES3 ENCTYPE_DES3_CBC_SHA1 +#define AES_ENTRIES 2 +#define HOST_TRUNC 15 +#define SVC_ENTRIES 4 + +static krb5_error_code +k5_kt_open(krb5_context ctx, krb5_keytab *kt) +{ + krb5_error_code code; + char buf[MAX_KEYTAB_NAME_LEN], ktstr[MAX_KEYTAB_NAME_LEN]; + + memset(buf, 0, sizeof (buf)); + memset(ktstr, 0, sizeof (ktstr)); + + if ((code = krb5_kt_default_name(ctx, buf, sizeof (buf))) != 0) + return (code); + + /* + * The default is file type w/o the write. If it's anything besides + * FILE or WRFILE then we bail as quickly as possible. + */ + if (strncmp(buf, "FILE:", strlen("FILE:")) == 0) + (void) snprintf(ktstr, sizeof (ktstr), "WR%s", buf); + else if (strncmp(buf, "WRFILE:", strlen("WRFILE:")) == 0) + (void) snprintf(ktstr, sizeof (ktstr), "%s", buf); + else + return (EINVAL); + + return (krb5_kt_resolve(ctx, ktstr, kt)); +} + +static krb5_error_code +k5_kt_add_entry(krb5_context ctx, krb5_keytab kt, const krb5_principal princ, + const krb5_principal svc_princ, krb5_enctype enctype, krb5_kvno kvno, + const char *pw) +{ + krb5_keytab_entry entry; + krb5_data password, salt; + krb5_keyblock key; + krb5_error_code code; + + memset(&entry, 0, sizeof (entry)); + memset(&key, 0, sizeof (krb5_keyblock)); + + password.length = strlen(pw); + password.data = (char *)pw; + + if ((code = krb5_principal2salt(ctx, svc_princ, &salt)) != 0) { + return (code); + } + + if ((krb5_c_string_to_key(ctx, enctype, &password, &salt, &key)) != 0) + goto cleanup; + + entry.key = key; + entry.vno = kvno; + entry.principal = princ; + + code = krb5_kt_add_entry(ctx, kt, &entry); + +cleanup: + + free(salt.data); + krb5_free_keyblock_contents(ctx, &key); + + return (code); +} + +/* + * krb5_error_code k5_kt_add_ad_entries(krb5_context ctx, char **sprincs_str, + * krb5_kvno kvno, uint_t flags, char *password) + * + * Adds keys to the keytab file for a default set of service principals for + * the specified host (or local host) in an Active Directory environment. + * + * where ctx is the pointer passed back from krb5_init_context + * where sprincs_str is an array of service principal names to be added + * to the keytab file, terminated by a NULL pointer + * where domain is the domain used to fully qualify the hostname for + * constructing the salt in the string-to-key function. + * where kvno is the key version number of the set of service principal + * keys to be added + * where flags is the set of conditions that affects the key table entries + * current set of defined flags: + * + * encryption type + * --------------- + * 0x00000001 K5_KT_FLAG_AES_SUPPORT (core set + AES-256-128 keys added) + * + * where password is the password that will be used to derive the key for + * the associated service principals in the keytab file + * where hostname is the unqualified hostname of the system that will be used to + * derive the key salt. If NULL is specified, this function will use the hostname + * of the local system. + * + * Note: this function is used for adding service principals to the + * local /etc/krb5/krb5.keytab (unless KRB5_KTNAME has been set to something + * different, see krb5envvar(5)) file when the client belongs to an AD domain. + * The keytab file is populated differently for an AD domain as the various + * service principals share the same key material, unlike MIT based + * implementations. + * + * Note: For encryption types; the union of the enc type flag and the + * capabilities of the client is used to determine the enc type set to + * populate the keytab file. + * + * Note: The keys are not created for any AES enctypes UNLESS the + * K5_KT_FLAG_AES_SUPPORT flag is set and permitted_enctypes has the AES + * enctypes enabled. + * + * Note: In Active Directory environments the salt is constructed by truncating + * the host name to 15 characters and only use the host svc princ as the salt, + * e.g. host/.@. The realm name is determined by parsing + * sprincs_str. The local host name to construct is determined by calling + * gethostname(3C). If AD environments construct salts differently in the + * future or this function is expanded outside of AD environments one could + * derive the salt by sending an initial authentication exchange. + * + * Note: The kvno was previously determined by performing an LDAP query of the + * computer account's msDS-KeyVersionNumber attribute. If the schema changes + * in the future or this function is expanded outside of AD environments then + * one could derive the principal's kvno by requesting a service ticket. + */ +krb5_error_code +k5_kt_add_ad_entries(krb5_context ctx, char **sprincs_str, char *domain, + krb5_kvno kvno, uint_t flags, char *password, char *hostname) +{ + krb5_principal princ = NULL, salt = NULL, f_princ = NULL; + krb5_keytab kt = NULL; + krb5_enctype *enctypes = NULL, *tenctype, penctype = 0; + char **tprinc, *ptr, *token, *t_host = NULL, *realm; + char localname[MAXHOSTNAMELEN]; + krb5_error_code code; + krb5_boolean similar; + uint_t t_len; + + assert(ctx != NULL && sprincs_str != NULL && *sprincs_str != NULL); + assert(password != NULL && domain != NULL); + + if ((code = krb5_parse_name(ctx, *sprincs_str, &f_princ)) != 0) + return (code); + if (krb5_princ_realm(ctx, f_princ)->length == 0) { + code = EINVAL; + goto cleanup; + } + realm = krb5_princ_realm(ctx, f_princ)->data; + + if (hostname == NULL) { + if (gethostname(localname, MAXHOSTNAMELEN) != 0) { + code = errno; + goto cleanup; + } + token = localname; + + /* + * Local host name could be fully qualified and/or in upper + * case, but usually and appropriately not. + */ + if ((ptr = strchr(token, '.')) != NULL) + ptr = '\0'; + for (ptr = token; *ptr; ptr++) + *ptr = tolower(*ptr); + } else { + token = hostname; + } + + /* + * Windows servers currently truncate the host name to 15 characters + * and only use the host svc princ as the salt, e.g. + * host/str15.domain@realm + */ + t_len = snprintf(NULL, 0, "host/%.*s.%s@%s", HOST_TRUNC, token, domain, + realm) + 1; + if ((t_host = malloc(t_len)) == NULL) { + code = ENOMEM; + goto cleanup; + } + (void) snprintf(t_host, t_len, "host/%.*s.%s@%s", HOST_TRUNC, token, + domain, realm); + + if ((code = krb5_parse_name(ctx, t_host, &salt)) != 0) + goto cleanup; + + if ((code = k5_kt_open(ctx, &kt)) != 0) + goto cleanup; + + code = krb5_get_permitted_enctypes(ctx, &enctypes); + if (code != 0 || *enctypes == NULL) + goto cleanup; + + for (tprinc = sprincs_str; *tprinc; tprinc++) { + + if ((code = krb5_parse_name(ctx, *tprinc, &princ)) != 0) + goto cleanup; + + for (tenctype = enctypes; *tenctype; tenctype++) { + if ((!(flags & K5_KT_FLAG_AES_SUPPORT) && + (*tenctype == AES128 || *tenctype == AES256)) || + (*tenctype == DES3)) { + continue; + } + + if (penctype) { + code = krb5_c_enctype_compare(ctx, *tenctype, + penctype, &similar); + if (code != 0) + goto cleanup; + else if (similar) + continue; + } + + code = k5_kt_add_entry(ctx, kt, princ, salt, *tenctype, + kvno, password); + if (code != 0) + goto cleanup; + + penctype = *tenctype; + } + + krb5_free_principal(ctx, princ); + princ = NULL; + penctype = NULL; + } + +cleanup: + + if (f_princ != NULL) + krb5_free_principal(ctx, f_princ); + if (salt != NULL) + krb5_free_principal(ctx, salt); + if (t_host != NULL) + free(t_host); + if (kt != NULL) + (void) krb5_kt_close(ctx, kt); + if (enctypes != NULL) + krb5_free_enctypes(ctx, enctypes); + if (princ != NULL) + krb5_free_principal(ctx, princ); + + return (code); +} + +#define PRINCIPAL 0 +#define REALM 1 + +static krb5_error_code +k5_kt_remove_by_key(krb5_context ctx, char *key, uint_t type) +{ + krb5_error_code code; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + krb5_keytab kt = NULL; + krb5_principal svc_princ = NULL; + krb5_principal_data realm_data; + boolean_t found = FALSE; + + assert(ctx != NULL && key != NULL); + + if (type == REALM) { + krb5_princ_realm(ctx, &realm_data)->length = strlen(key); + krb5_princ_realm(ctx, &realm_data)->data = key; + } else if (type == PRINCIPAL) { + if ((code = krb5_parse_name(ctx, key, &svc_princ)) != 0) + goto cleanup; + } else + return (EINVAL); + + if ((code = k5_kt_open(ctx, &kt)) != 0) + goto cleanup; + + if ((code = krb5_kt_start_seq_get(ctx, kt, &cursor)) != 0) + goto cleanup; + + while ((code = krb5_kt_next_entry(ctx, kt, &entry, &cursor)) == 0) { + if (type == PRINCIPAL && krb5_principal_compare(ctx, svc_princ, + entry.principal)) { + found = TRUE; + } else if (type == REALM && krb5_realm_compare(ctx, &realm_data, + entry.principal)) { + found = TRUE; + } + + if (found == TRUE) { + code = krb5_kt_end_seq_get(ctx, kt, &cursor); + if (code != 0) { + krb5_kt_free_entry(ctx, &entry); + goto cleanup; + } + + code = krb5_kt_remove_entry(ctx, kt, &entry); + if (code != 0) { + krb5_kt_free_entry(ctx, &entry); + goto cleanup; + } + + code = krb5_kt_start_seq_get(ctx, kt, &cursor); + if (code != 0) { + krb5_kt_free_entry(ctx, &entry); + goto cleanup; + } + + found = FALSE; + } + + krb5_kt_free_entry(ctx, &entry); + } + + if (code && code != KRB5_KT_END) + goto cleanup; + + code = krb5_kt_end_seq_get(ctx, kt, &cursor); + +cleanup: + + if (svc_princ != NULL) + krb5_free_principal(ctx, svc_princ); + if (kt != NULL) + (void) krb5_kt_close(ctx, kt); + + return (code); +} + +/* + * krb5_error_code k5_kt_remove_by_realm(krb5_context ctx, char *realm) + * + * Removes all key entries in the keytab file that match the exact realm name + * specified. + * + * where ctx is the pointer passed back from krb5_init_context + * where realm is the realm name that is matched for any keytab entries + * to be removed + * + * Note: if there are no entries matching realm then 0 (success) is returned + */ +krb5_error_code +k5_kt_remove_by_realm(krb5_context ctx, char *realm) +{ + + return (k5_kt_remove_by_key(ctx, realm, REALM)); +} + +/* + * krb5_error_code k5_kt_remove_by_svcprinc(krb5_context ctx, char *sprinc_str) + * + * Removes all key entries in the keytab file that match the exact service + * principal name specified. + * + * where ctx is the pointer passed back from krb5_init_context + * where sprinc_str is the service principal name that is matched for any + * keytab entries to be removed + * + * Note: if there are no entries matching sprinc_str then 0 (success) is + * returned + */ +krb5_error_code +k5_kt_remove_by_svcprinc(krb5_context ctx, char *sprinc_str) +{ + + return (k5_kt_remove_by_key(ctx, sprinc_str, PRINCIPAL)); +} + +/* + * krb5_error_code k5_kt_validate(krb5_context ctx, char *sprinc_str, + * uint_t flags, boolean_t *valid) + * + * The validate function determines that the service principal exists and that + * it has a valid set of encryption types for said principal. + * + * where ctx is the pointer passed back from krb5_init_context + * where sprinc_str is the principal to be validated in the keytab file + * where flags is the set of conditions that affects the key table entries + * that the function considers valid + * current set of defined flags: + * + * encryption type + * --------------- + * 0x00000001 K5_KT_FLAG_AES_SUPPORT (core set + AES-256-128 keys are + * valid) + * + * where valid is a boolean that is set if the sprinc_str is correctly + * populated in the keytab file based on the flags set else valid is unset. + * + * Note: The validate function assumes that only one set of keys exists for + * a corresponding service principal, of key version number (kvno) n. It would + * consider more than one kvno set as invalid. This is from the fact that AD + * clients will attempt to refresh credential caches if KRB5KRB_AP_ERR_MODIFIED + * is returned by the acceptor when the requested kvno is not found within the + * keytab file. + */ +krb5_error_code +k5_kt_ad_validate(krb5_context ctx, char *sprinc_str, uint_t flags, + boolean_t *valid) +{ + krb5_error_code code; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + krb5_keytab kt = NULL; + krb5_principal svc_princ = NULL; + krb5_enctype *enctypes = NULL, *tenctype, penctype = 0; + boolean_t ck_aes = FALSE; + uint_t aes_count = 0, kt_entries = 0; + krb5_boolean similar; + + assert(ctx != NULL && sprinc_str != NULL && valid != NULL); + + *valid = FALSE; + ck_aes = flags & K5_KT_FLAG_AES_SUPPORT; + + if ((code = krb5_parse_name(ctx, sprinc_str, &svc_princ)) != 0) + goto cleanup; + + if ((code = k5_kt_open(ctx, &kt)) != 0) + goto cleanup; + + code = krb5_get_permitted_enctypes(ctx, &enctypes); + if (code != 0 || *enctypes == NULL) + goto cleanup; + + if ((code = krb5_kt_start_seq_get(ctx, kt, &cursor)) != 0) + goto cleanup; + + while ((code = krb5_kt_next_entry(ctx, kt, &entry, &cursor)) == 0) { + if (krb5_principal_compare(ctx, svc_princ, entry.principal)) { + + for (tenctype = enctypes; *tenctype; tenctype++) { + if (penctype) { + code = krb5_c_enctype_compare(ctx, + *tenctype, penctype, &similar); + if (code != 0) { + krb5_kt_free_entry(ctx, &entry); + goto cleanup; + } else if (similar) + continue; + } + + if ((*tenctype != DES3) && + (entry.key.enctype == *tenctype)) { + kt_entries++; + } + + penctype = *tenctype; + } + + if ((entry.key.enctype == AES128) || + (entry.key.enctype == AES256)) { + aes_count++; + } + } + + krb5_kt_free_entry(ctx, &entry); + } + + if (code && code != KRB5_KT_END) + goto cleanup; + + if ((code = krb5_kt_end_seq_get(ctx, kt, &cursor))) + goto cleanup; + + if (ck_aes == TRUE) { + if ((kt_entries != SVC_ENTRIES) || (aes_count != AES_ENTRIES)) + goto cleanup; + } else if (kt_entries != (SVC_ENTRIES - AES_ENTRIES)) + goto cleanup; + + *valid = TRUE; + +cleanup: + + if (svc_princ != NULL) + krb5_free_principal(ctx, svc_princ); + if (kt != NULL) + (void) krb5_kt_close(ctx, kt); + if (enctypes != NULL) + krb5_free_enctypes(ctx, enctypes); + + return (code); +} diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/kt_solaris.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/kt_solaris.h Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* + * Solaris Kerberos + * This is a private header file, therefore the interfaces that this file + * declares are subject to change without prior notice. + */ + +#ifndef _KT_SOLARIS_H +#define _KT_SOLARIS_H + +#ifdef __cplusplus +extern "C" { +#endif + +#define K5_KT_FLAG_AES_SUPPORT 1 + +krb5_error_code k5_kt_add_ad_entries(krb5_context, char **, char *, krb5_kvno, + uint_t, char *, char *); + +krb5_error_code k5_kt_remove_by_realm(krb5_context, char *); + +krb5_error_code k5_kt_remove_by_svcprinc(krb5_context, char *); + +krb5_error_code k5_kt_ad_validate(krb5_context, char *, uint_t, boolean_t *); + +#ifdef __cplusplus +} +#endif + +#endif /* _KT_SOLARIS_H */ diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/libgss.mapfile-vers --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/libgss.mapfile-vers Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,155 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved. +# + +$mapfile_version 2 + +STUB_OBJECT; +SYMBOL_VERSION SUNWpublic { + global: + gss_get_name_attribute { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_acquire_cred_impersonate_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_set_name_attribute { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_inquire_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gssspi_mech_invoke { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_delete_name_attribute { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; +} SUNW_1.3; + +SYMBOL_VERSION SUNW_1.3 { + global: + gss_add_buffer_set_member { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + GSS_C_INQ_SSPI_SESSION_KEY { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize }; + gss_create_empty_buffer_set { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_inquire_sec_context_by_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_release_buffer_set { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; +} SUNW_1.2; + +SYMBOL_VERSION SUNW_1.2 { + global: + gss_accept_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_acquire_cred_with_password { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_acquire_cred { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_add_cred_with_password { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_add_cred { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_add_oid_set_member { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + GSS_C_NT_ANONYMOUS { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize }; + GSS_C_NT_EXPORT_NAME { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize }; + GSS_C_NT_HOSTBASED_SERVICE { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize }; + GSS_C_NT_MACHINE_UID_NAME { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize }; + GSS_C_NT_STRING_UID_NAME { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize }; + GSS_C_NT_USER_NAME { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize }; + gss_canonicalize_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_compare_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_context_time { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_create_empty_oid_set { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_delete_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_display_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_display_status { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_duplicate_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_export_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_export_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_get_mic { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_import_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_import_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_indicate_mechs { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_init_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_inquire_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_inquire_cred_by_mech { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_inquire_cred { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_inquire_mechs_for_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_inquire_names_for_mech { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_process_context_token { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_release_buffer { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_release_cred { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_release_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_release_oid_set { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_release_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_seal { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_sign { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_store_cred { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_test_oid_set_member { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_unseal { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_unwrap { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_verify_mic { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_verify { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_wrap_size_limit { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_wrap { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; +} SUNW_1.1; + +# Due to mistakes made early in the history of this library, there are +# no SUNW_1.1 symbols, but the version is now kept as a placeholder. +# Don't add any symbols to this version. + +SYMBOL_VERSION SUNW_1.1 { + global: + SUNW_1.1; +}; + +SYMBOL_VERSION SUNWprivate_1.1 { + global: + __gss_get_kmodName; + gssint_get_kmodName { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + __gss_get_mech_info; + gssint_get_mech_info { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + __gss_get_mech_type; + gssint_get_mech_type { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + __gss_get_mechanism; + gssint_get_mechanism { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + __gss_get_mechanisms; + gssint_get_mechanisms { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + __gss_get_modOptions; + gssint_get_modOptions { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + __gss_mech_to_oid; + gssint_mech_to_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + __gss_num_to_qop; + gssint_num_to_qop { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + __gss_oid_to_mech; + gssint_oid_to_mech { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + __gss_qop_to_num; + gssint_qop_to_num { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + __gss_userok; + gss_authorize_localname { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + der_length_size; + gssint_der_length_size { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + generic_gss_copy_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + generic_gss_release_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + get_der_length; + gssint_get_der_length { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_get_group_info { TYPE = FUNCTION; FILTER = libgsscred.so.1 }; + gss_nt_exported_name { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize }; + gss_nt_service_name { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize }; + gss_nt_service_name_v2 { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize }; + gss_oid_to_str { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_str_to_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gsscred_expname_to_unix_cred_ext { TYPE = FUNCTION; FILTER = libgsscred.so.1 }; + gsscred_expname_to_unix_cred { TYPE = FUNCTION; FILTER = libgsscred.so.1 }; + gsscred_name_to_unix_cred_ext { TYPE = FUNCTION; FILTER = libgsscred.so.1 }; + gsscred_name_to_unix_cred { TYPE = FUNCTION; FILTER = libgsscred.so.1 }; + gsscred_set_options { TYPE = FUNCTION; FILTER = libgsscred.so.1 }; + gssint_copy_oid_set { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + put_der_length; + gssint_put_der_length { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + generic_gss_add_oid_set_member { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + gss_pname_to_uid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + local: + *; +}; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/libgss_stubs.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/libgss_stubs.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +#include "mglueP.h" + +OM_uint32 +__gss_mech_to_oid(const char *mechStr, gss_OID* oid) { + return (gssint_mech_to_oid(mechStr, oid)); +} + +const char * +__gss_oid_to_mech(const gss_OID oid) { + return (gssint_oid_to_mech(oid)); +} + +OM_uint32 +__gss_get_mechanisms(char *mechArray[], int arrayLen) { + return (gssint_get_mechanisms(mechArray, arrayLen)); +} + +char * +__gss_get_kmodName(const gss_OID oid) { + return (gssint_get_kmodName(oid)); +} + +gss_mechanism +__gss_get_mechanism(const gss_OID oid) { + return (gssint_get_mechanism(oid)); +} + +char * +__gss_get_modOptions(const gss_OID oid) { + return (gssint_get_modOptions(oid)); +} + +OM_uint32 +__gss_get_mech_type(gss_OID OID, gss_buffer_t token) { + return (gssint_get_mech_type(OID, token)); +} + +unsigned int +der_length_size(unsigned int len) { + return (gssint_der_length_size(len)); +} + +int +get_der_length(unsigned char **buf, unsigned int buf_len, unsigned int *bytes) { + return (gssint_get_der_length(buf, buf_len, bytes)); +} + +int +put_der_length(unsigned int length, unsigned char **buf, unsigned int max_len) { + return (gssint_put_der_length(length, buf, max_len)); +} + +OM_uint32 +__gss_get_mech_info(char *mech, char **qops) { + return (gssint_get_mech_info(mech, qops)); +} + +OM_uint32 +__gss_num_to_qop(char *mech, OM_uint32 num, char **qop) { + return (gssint_num_to_qop(mech, num, qop)); +} + +OM_uint32 +__gss_qop_to_num(char *qop, char *mech, OM_uint32 *num) { + return (gssint_qop_to_num(qop, mech, num)); +} + +/* + * Wrapper __gss_userok -> gss_authorize_localname + */ +OM_uint32 +__gss_userok(OM_uint32 *minor, const gss_name_t name, const char *user, + int *user_ok) { + OM_uint32 ret, dummy_minor; + gss_buffer_desc user_buf; + gss_name_t user_name; + + *user_ok = 0; + + user_buf.value = (void *)user; + user_buf.length = strlen(user); + + ret = gss_import_name(minor, &user_buf, GSS_C_NT_USER_NAME, &user_name); + if (GSS_ERROR(ret)) + return (ret); + + ret = gss_authorize_localname(minor, name, user_name); + if (ret == GSS_S_COMPLETE) + *user_ok = 1; + + (void) gss_release_name(&dummy_minor, &user_name); + + return (ret); +} diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/libkadm5clnt.mapfile-vers --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/libkadm5clnt.mapfile-vers Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,48 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. +# + +$mapfile_version 2 + +STUB_OBJECT; +SYMBOL_VERSION SUNWprivate_1.1 { + global: + free_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_chpass_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_chpass_principal_util { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_create_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_destroy { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_free_principal_ent { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_get_adm_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_get_cpw_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_get_master { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_get_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_init_krb5_context { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_init_with_password { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_init_with_password_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_init_with_skey { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_init_with_skey_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_modify_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + + local: + *; +}; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/libkrb5.mapfile-vers --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/libkrb5.mapfile-vers Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,388 @@ +# +# Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved. +# + +$mapfile_version 2 + +STUB_OBJECT; + +# +# This is a mapfile that defines a filter over multiple MIT kerberos libraries so +# that the filter library can provide all the dependencies needed by kerberos +# related components staying in ON. +# +# New functions can be added as needed. +# + +SYMBOL_VERSION SUNWprivate { + global: + + krb5_os_init_context; + krb5_privacy_allowed; + mit_des_fixup_key_parity; + com_err { TYPE = FUNCTION; FILTER = libcom_err.so.3.0 }; + com_err_va { TYPE = FUNCTION; FILTER = libcom_err.so.3.0 }; + error_message { TYPE = FUNCTION; FILTER = libcom_err.so.3.0 }; + krb5_c_encrypt { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_decrypt { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_encrypt_length { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_block_size { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_init_state { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_free_state { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_make_random_key { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_random_make_octets { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_string_to_key { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_string_to_key_with_params { + TYPE = FUNCTION; + FILTER = libk5crypto.so.3.1; + }; + krb5_c_enctype_compare { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_make_checksum { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_verify_checksum { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_checksum_length { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_keyed_checksum_types { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_valid_enctype { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_valid_cksumtype { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_is_coll_proof_cksum { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_c_is_keyed_cksum { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_cc_gen_new { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_initialize { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_destroy { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_close { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_store_cred { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_retrieve_cred { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_get_name { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_get_principal { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_start_seq_get { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_next_cred { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_end_seq_get { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_remove_cred { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_set_flags { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_get_type { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_get_type { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_get_name { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_close { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_get_entry { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_start_seq_get { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_next_entry { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_end_seq_get { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_init_context { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_init_secure_context { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_context { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_set_default_tgs_enctypes { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_permitted_enctypes { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_is_thread_safe { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_tgt_creds { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_credentials { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_credentials_validate { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_credentials_renew { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_mk_req { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_mk_req_extended { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_mk_rep { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rd_rep { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_mk_error { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rd_error { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rd_safe { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rd_priv { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_parse_name { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_unparse_name { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_unparse_name_ext { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_set_principal_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_address_search { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_address_compare { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_address_order { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_realm_compare { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_principal_compare { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_init_keyblock { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_copy_keyblock { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_copy_keyblock_contents { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_copy_creds { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_copy_data { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_copy_principal { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_copy_addresses { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_copy_ticket { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_copy_authdata { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_copy_authenticator { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_copy_checksum { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_server_rcache { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_build_principal_ext { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_build_principal { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_resolve { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_default_name { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_default { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_keytab_entry_contents { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_kt_remove_entry { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_add_entry { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_principal2salt { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_resolve { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_default_name { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_set_default_name { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_default { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cc_copy_creds { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_principal { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_authenticator { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_addresses { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_authdata { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_ticket { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_error { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_creds { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_cred_contents { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_checksum { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_checksum_contents { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_keyblock { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_keyblock_contents { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_ap_rep_enc_part { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_data { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_data_contents { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_unparsed_name { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_cksumtypes { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_us_timeofday { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_timeofday { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_os_localaddr { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_default_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_set_default_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_default_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_sname_to_principal { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_change_password { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_set_password { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_set_password_using_ccache { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_profile { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rd_req { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kt_read_service_key { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_mk_safe { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_mk_priv { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_sendauth { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_recvauth { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_recvauth_version { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_mk_ncred { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_mk_1cred { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rd_cred { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_fwd_tgt_creds { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_init { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_free { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_setflags { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_getflags { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_set_checksum_func { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_auth_con_get_checksum_func { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_auth_con_setaddrs { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_getaddrs { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_setports { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_setuseruserkey { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_auth_con_getkey { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_getsendsubkey { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_getrecvsubkey { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_setsendsubkey { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_setrecvsubkey { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_getlocalseqnumber { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_auth_con_getremoteseqnumber { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_auth_con_setrcache { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_getrcache { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_getauthenticator { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_read_password { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_aname_to_localname { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_host_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_host_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_kuserok { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_genaddrs { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_set_real_time { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_string_to_enctype { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_string_to_salttype { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_string_to_cksumtype { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_string_to_timestamp { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_string_to_deltat { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_enctype_to_string { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_salttype_to_string { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_cksumtype_to_string { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_timestamp_to_string { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_timestamp_to_sfstring { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_deltat_to_string { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_prompter_posix { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_init_creds_opt_init { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_init_creds_opt_set_tkt_life { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_init_creds_opt_set_renew_life { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_init_creds_opt_set_forwardable { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_init_creds_opt_set_proxiable { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_init_creds_opt_set_etype_list { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_init_creds_opt_set_address_list { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_init_creds_opt_set_preauth_list { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_init_creds_opt_set_salt { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_init_creds_password { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_init_creds_keytab { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_verify_init_creds_opt_init { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_verify_init_creds_opt_set_ap_req_nofail { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_verify_init_creds { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_validated_creds { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_renewed_creds { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_decode_ticket { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_appdefault_string { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_appdefault_boolean { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_prompt_types { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_string_to_key { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_use_enctype { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_pac_add_buffer { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_pac_free { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_pac_get_buffer { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_pac_get_types { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_pac_init { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_pac_parse { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_pac_verify { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_decode_authdata_container { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_encode_authdata_container { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + kwarn_del_warning { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + kwarn_add_warning { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_is_config_principal { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_get_tgs_ktypes { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + profile_get_options_boolean { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_read_message { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_os_init_context { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_write_message { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_set_config_files { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + profile_get_options_string { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_net_read { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_set_error_message { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rc_close { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_des_fixup_key_parity{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + k5_profile_add_realm_entry { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_profile_validate { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_profile_remove_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_profile_set_libdefaults { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_kt_remove_by_svcprinc { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_kt_remove_by_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_kt_add_ad_entries { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_kt_ad_validate { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_profile_get_default_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_profile_validate_get_error_msg { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + gsskrb5_extract_authz_data_from_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 }; + krb5_string_to_key { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_use_enctype { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_checksum_size { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + krb5_kt_free_entry { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_getlocalsubkey { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_auth_con_getremotesubkey { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + krb5_set_default_tgs_ktypes { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_enctypes { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_ap_req { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_ap_rep { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_cred { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_decrypt_tkt_part { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_error_message { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_error_message { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_clear_error_message { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + valid_cksumtype { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 }; + decode_krb5_ap_req { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + encode_krb5_ap_req { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rc_get_lifespan { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rc_initialize { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rc_default { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rc_destroy { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_auth_con_set_req_cksumtype{ + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + k5_profile_abandon { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_profile_init { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_profile_add_domain_mapping { + TYPE = FUNCTION; + FILTER = libkrb5.so.3.3; + }; + k5_profile_release { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_rc_destroy { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + profile_free_list { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_profile_add_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + get_expiry_times { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + k5_get_init_creds_password { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_free_kdc_rep { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_init_creds_opt_alloc { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_init_creds_opt_free { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + krb5_get_init_creds_opt_set_pa { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 }; + + local: + *; +}; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_accept_sec_context.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_accept_sec_context.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,503 @@ +'\" te +.\" Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved. +.TH gss_accept_sec_context 3GSS "22 May 2006" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_accept_sec_context \- accept a security context initiated by a peer application +.SH SYNOPSIS +.LP +.nf +cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lgss\fR [ \fIlibrary\fR\&.\|.\|. ] +#include + +\fBOM_uint32\fR \fBgss_accept_sec_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBgss_ctx_id_t *\fR\fIcontext_handle\fR, + \fBconst gss_cred_id_t\fR \fIacceptor_cred_handle\fR, + \fBconst gss_buffer_t\fR \fIinput_token\fR, + \fBconst gss_channel_bindings_t\fR \fIinput_chan_bindings\fR, + \fBconst gss_name_t *\fR \fIsrc_name\fR, \fBgss_OID *\fR \fImech_type\fR, + \fBgss_buffer_t\fR \fIoutput_token\fR, \fBOM_uint32 *\fR\fIret_flags\fR, + \fBOM_uint32 *\fR \fItime_rec\fR, \fBgss_cred_id_t *\fR\fIdelegated_cred_handle\fR); +.fi + +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_accept_sec_context()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.sp .6 +.RS 4n +The status code returned by the underlying mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.sp .6 +.RS 4n +The context handle to return to the initiator. This should be set to \fBGSS_C_NO_CONTEXT\fR before the loop begins. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIacceptor_cred_handle\fR\fR +.ad +.sp .6 +.RS 4n +The handle for the credentials acquired by the acceptor, typically through \fBgss_acquire_cred()\fR. It may be initialized to \fBGSS_C_NO_CREDENTIAL\fR to indicate a default credential to use. If no default credential is defined, the function returns \fBGSS_C_NO_CRED\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_token_buffer\fR\fR +.ad +.sp .6 +.RS 4n +Token received from the context initiative. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_chan_bindings\fR\fR +.ad +.sp .6 +.RS 4n +Optional application-specified bindings. Allows application to securely bind channel identification information to the security context. Set to \fBGSS_C_NO_CHANNEL_BINDINGS\fR if you do not want to use channel bindings. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIsrc_name\fR\fR +.ad +.sp .6 +.RS 4n +The authenticated name of the context initiator. After use, this name should be deallocated by passing it to \fBgss_release_name()\fR. See \fBgss_release_name\fR(3GSS). If not required, specify \fBNULL\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImech_type\fR\fR +.ad +.sp .6 +.RS 4n +The security mechanism used. Set to \fBNULL\fR if it does not matter which mechanism is used. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_token\fR\fR +.ad +.sp .6 +.RS 4n +The token to send to the acceptor. Initialize it to \fBGSS_C_NO_BUFFER\fR before the function is called (or its length field set to zero). If the length is zero, no token need be sent. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIret_flags\fR\fR +.ad +.sp .6 +.RS 4n +Contains various independent flags, each of which indicates that the context supports a specific service option. If not needed, specify \fBNULL\fR. Test the returned bit-mask \fIret_flags\fR value against its symbolic name to determine if the given option is supported by the context. \fIret_flags\fR may contain one of the following values: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_DELEG_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, delegated credentials are available by means of the \fIdelegated_cred_handle\fR parameter. If false, no credentials were delegated. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_MUTUAL_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, a remote peer asked for mutual authentication. If false, no remote peer asked for mutual authentication. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_REPLAY_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, replay of protected messages will be detected. If false, replayed messages will not be detected. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_SEQUENCE_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, out of sequence protected messages will be detected. If false, they will not be detected. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_CONF_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, confidentiality service may be invoked by calling the \fBgss_wrap()\fR routine. If false, no confidentiality service is available by means of \fBgss_wrap()\fR. \fBgss_wrap()\fR will provide message encapsulation, data-origin authentication and integrity services only. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_INTEG_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, integrity service may be invoked by calling either the \fBgss_get_mic\fR(3GSS) or the \fBgss_wrap\fR(3GSS) routine. If false, per-message integrity service is not available. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_ANON_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, the initiator does not wish to be authenticated. The \fIsrc_name\fR parameter, if requested, contains an anonymous internal name. If false, the initiator has been authenticated normally. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_PROT_READY_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, the protection services specified by the states of \fBGSS_C_CONF_FLAG\fR and \fBGSS_C_INTEG_FLAG\fR are available if the accompanying major status return value is either \fBGSS_S_COMPLETE\fR or \fBGSS_S_CONTINUE_NEEDED\fR. If false, the protection services are available only if the accompanying major status return value is \fBGSS_S_COMPLETE\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_TRANS_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, the resultant security context may be transferred to other processes by means of a call to \fBgss_export_sec_context\fR(3GSS). If false, the security context cannot be transferred. +.RE + +.RE + +.sp +.ne 2 +.mk +.na +\fB\fItime_rec\fR\fR +.ad +.sp .6 +.RS 4n +The number of sections for which the context will remain valid. Specify \fBNULL\fR if not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIdelegated_cred_handle\fR\fR +.ad +.sp .6 +.RS 4n +The credential value for credentials received from the context's initiator. It is valid only if the initiator has requested that the acceptor act as a proxy: that is, if the \fIret_flag\fR argument resolves to \fBGSS_C_DELEG_FLAG\fR. +.RE + +.SH DESCRIPTION +.sp +.LP +The \fBgss_accept_sec_context()\fR function allows a remotely initiated security context between the application and a remote peer to be established. The routine may return an \fIoutput_token\fR, which should be transferred to the peer application, where the peer application will present it to \fBgss_init_sec_context()\fR. See \fBgss_init_sec_context\fR(3GSS). If no token need be sent, \fBgss_accept_sec_context()\fR will indicate this by setting the length field of the \fIoutput_token\fR argument to zero. To complete the context establishment, one or more reply tokens may be required from the peer application; if so, \fBgss_accept_sec_context()\fR will return a status flag of \fBGSS_S_CONTINUE_NEEDED\fR, in which case it should be called again when the reply token is received from the peer application, passing the token to \fBgss_accept_sec_context()\fR by means of the \fIinput_token\fR parameters. +.sp +.LP +Portable applications should be constructed to use the token length and return status to determine whether to send or to wait for a token. +.sp +.LP +Whenever \fBgss_accept_sec_context()\fR returns a major status that includes the value \fBGSS_S_CONTINUE_NEEDED\fR, the context is not fully established, and the following restrictions apply to the output parameters: +.RS +4 +.TP +.ie t \(bu +.el o +The value returned by means of the \fItime_rec\fR parameter is undefined. +.RE +.RS +4 +.TP +.ie t \(bu +.el o +Unless the accompanying \fIret_flags\fR parameter contains the bit \fBGSS_C_PROT_READY_FLAG\fR, which indicates that per-message services may be applied in advance of a successful completion status, the value returned by the \fImech_type\fR parameter may be undefined until \fBgss_accept_sec_context()\fR returns a major status value of \fBGSS_S_COMPLETE\fR. +.RE +.sp +.LP +The values of the \fBGSS_C_DELEG_FLAG\fR, \fBGSS_C_MUTUAL_FLAG\fR, \fBGSS_C_REPLAY_FLAG\fR, \fBGSS_C_SEQUENCE_FLAG\fR, \fBGSS_C_CONF_FLAG\fR, \fBGSS_C_INTEG_FLAG\fR and \fBGSS_C_ANON_FLAG\fR bits returned by means of the \fIret_flags\fR parameter are values that would be valid if context establishment were to succeed. +.sp +.LP +The values of the \fBGSS_C_PROT_READY_FLAG\fR and \fBGSS_C_TRANS_FLAG\fR bits within \fIret_flags\fR indicate the actual state at the time \fBgss_accept_sec_context()\fR returns, whether or not the context is fully established. However, applications should not rely on this behavior, as \fBGSS_C_PROT_READY_FLAG\fR was not defined in Version 1 of the \fBGSS-API\fR. Instead, applications should be prepared to use per-message services after a successful context establishment, based upon the \fBGSS_C_INTEG_FLAG\fR and \fBGSS_C_CONF_FLAG\fR values. +.sp +.LP +All other bits within the \fIret_flags\fR argument are set to zero. +.sp +.LP +While \fBgss_accept_sec_context()\fR returns \fBGSS_S_CONTINUE_NEEDED\fR, the values returned by means of the the \fIret_flags\fR argument indicate the services available from the established context. If the initial call of \fBgss_accept_sec_context()\fR fails, no context object is created, and the value of the \fIcontext_handle\fR parameter is set to \fBGSS_C_NO_CONTEXT\fR. In the event of a failure on a subsequent call, the security context and the \fIcontext_handle\fR parameter are left untouched for the application to delete using \fBgss_delete_sec_context\fR(3GSS). During context establishment, the informational status bits \fBGSS_S_OLD_TOKEN\fR and \fBGSS_S_DUPLICATE_TOKEN\fR indicate fatal errors; \fBGSS-API\fR mechanisms always return them in association with a routine error of \fBGSS_S_FAILURE\fR. This pairing requirement did not exist in version 1 of the \fBGSS-API\fR specification, so applications that wish to run over version 1 implementations must special-case these codes. +.SH ERRORS +.sp +.LP +\fBgss_accept_sec_context()\fR may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 30n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CONTINUE_NEEDED\fR\fR +.ad +.RS 30n +.rt +A token from the peer application is required to complete the context, and that \fBgss_accept_sec_context()\fR must be called again with that token. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR +.ad +.RS 30n +.rt +Consistency checks performed on the \fIinput_token\fR failed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DEFECTIVE_CREDENTIAL\fR\fR +.ad +.RS 30n +.rt +Consistency checks performed on the credential failed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CRED\fR\fR +.ad +.RS 30n +.rt +The supplied credentials were not valid for context acceptance, or the credential handle did not reference any credentials. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR +.ad +.RS 30n +.rt +The referenced credentials have expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_BINDINGS\fR\fR +.ad +.RS 30n +.rt +The \fIinput_token\fR contains different channel bindings than those specified by means of the \fIinput_chan_bindings\fR parameter. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 30n +.rt +The supplied context handle did not refer to a valid context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_SIG\fR\fR +.ad +.RS 30n +.rt +The \fIinput_token\fR contains an invalid \fBMIC\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_OLD_TOKEN\fR\fR +.ad +.RS 30n +.rt +The \fIinput_token\fR was too old. This is a fatal error while establishing context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DUPLICATE_TOKEN\fR\fR +.ad +.RS 30n +.rt +The \fIinput_token\fR is valid, but it is duplicate of a token already processed. This is a fatal error while establishing context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_MECH\fR\fR +.ad +.RS 30n +.rt +The token received specified a mechanism that is not supported by the implementation or the provided credential. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 30n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH EXAMPLES +.LP +\fBExample 1 \fRInvoking \fBgss_accept_sec_context()\fR Within a Loop +.sp +.LP +A typical portable caller should always invoke \fBgss_accept_sec_context()\fR within a loop: + +.sp +.in +2 +.nf +gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; + +do { + receive_token_from_peer(input_token); + maj_stat = gss_accept_sec_context(&min_stat, + &context_hdl, + cred_hdl, + input_token, + input_bindings, + &client_name, + &mech_type, + output_token, + &ret_flags, + &time_rec, + &deleg_cred); + if (GSS_ERROR(maj_stat)) { + report_error(maj_stat, min_stat); + }; + if (output_token->length != 0) { + send_token_to_peer(output_token); + gss_release_buffer(&min_stat, output_token); + }; + if (GSS_ERROR(maj_stat)) { + if (context_hdl != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min_stat, + &context_hdl, + GSS_C_NO_BUFFER); + break; + }; +} while (maj_stat & GSS_S_CONTINUE_NEEDED); + +/* Check client_name authorization */ +\&... + +(void) gss_release_name(&min_stat, &client_name); + +/* Use and/or store delegated credential */ +\&... + +(void) gss_release_cred(&min_stat, &deleg_cred); +.fi +.in -2 + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_delete_sec_context\fR(3GSS), \fBgss_export_sec_context\fR(3GSS), \fBgss_get_mic\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_release_cred\fR(3GSS), \fBgss_release_name\fR(3GSS), \fBgss_store_cred\fR(3GSS), \fBgss_wrap\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_acquire_cred.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_acquire_cred.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,231 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_acquire_cred 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_acquire_cred \- acquire a handle for a pre-existing credential by name +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_acquire_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_name_t\fR \fIdesired_name\fR, \fBOM_uint32\fR \fItime_req\fR, + \fBconst gss_OID_set\fR \fIdesired_mech\fR, \fBgss_cred_usage_t\fR \fIcred_usage\fR, + \fBgss_cred_id_t *\fR\fIoutput_cred_handle\fR, \fBgss_OID_set *\fR\fIactual_mechs\fR, + \fBOM_uint32 *\fR\fItime_rec\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_acquire_cred()\fR function allows an application to acquire a handle for a pre-existing credential by name. This routine is not intended as a function to login to the network; a function for login to the network would involve creating new credentials rather than merely acquiring a handle to existing credentials. +.sp +.LP +If \fIdesired_name\fR is \fBGSS_C_NO_NAME\fR, the call is interpreted as a request for a credential handle that will invoke default behavior when passed to \fBgss_init_sec_context\fR(3GSS) (if \fIcred_usage\fR is \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR) or \fBgss_accept_sec_context\fR(3GSS) (if \fIcred_usage\fR is \fBGSS_C_ACCEPT\fR or \fBGSS_C_BOTH\fR). +.sp +.LP +Normally \fBgss_acquire_cred()\fR returns a credential that is valid only for the mechanisms requested by the \fIdesired_mechs\fR argument. However, if multiple mechanisms can share a single credential element, the function returns all the mechanisms for which the credential is valid in the \fIactual_mechs\fR argument. +.sp +.LP +\fBgss_acquire_cred()\fR is intended to be used primarily by context acceptors, since the \fBGSS-API\fR routines obtain initiator credentials through the system login process. Accordingly, you may not acquire \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR credentials by means of \fBgss_acquire_cred()\fR for any name other than \fBGSS_C_NO_NAME\fR. Alternatively, you may acquire \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR credentials for a name produced when \fBgss_inquire_cred\fR(3GSS) is applied to a valid credential, or when \fBgss_inquire_context\fR(3GSS) is applied to an active context. +.sp +.LP +If credential acquisition is time-consuming for a mechanism, the mechanism may choose to delay the actual acquisition until the credential is required, for example, by \fBgss_init_sec_context\fR(3GSS) or by \fBgss_accept_sec_context\fR(3GSS). Such mechanism-specific implementations are, however, invisible to the calling application; thus a call of \fBgss_inquire_cred\fR(3GSS) immediately following the call of \fBgss_acquire_cred()\fR will return valid credential data and incur the overhead of a deferred credential acquisition. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_acquire_cred()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIdesired_name\fR\fR +.ad +.RS 22n +.rt +The name of the principal for which a credential should be acquired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fItime_req\fR\fR +.ad +.RS 22n +.rt +The number of seconds that credentials remain valid. Specify \fBGSS_C_INDEFINITE\fR to request that the credentials have the maximum permitted lifetime +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIdesired_mechs\fR\fR +.ad +.RS 22n +.rt +The set of underlying security mechanisms that may be used. \fBGSS_C_NO_OID_SET\fR may be used to obtain a default. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcred_usage\fR\fR +.ad +.RS 22n +.rt +A flag that indicates how this credential should be used. If the flag is \fBGSS_C_ACCEPT\fR, then credentials will be used only to accept security credentials. \fBGSS_C_INITIATE\fR indicates that credentials will be used only to initiate security credentials. If the flag is \fBGSS_C_BOTH\fR, then credentials may be used either to initiate or accept security contexts. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_cred_handle\fR\fR +.ad +.RS 22n +.rt +The returned credential handle. Resources associated with this credential handle must be released by the application after use with a call to \fBgss_release_cred\fR(3GSS) +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIactual_mechs\fR\fR +.ad +.RS 22n +.rt +The set of mechanisms for which the credential is valid. Storage associated with the returned \fBOID\fR-set must be released by the application after use with a call to \fBgss_release_oid_set\fR(3GSS). Specify \fBNULL\fR if not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fItime_rec\fR\fR +.ad +.RS 22n +.rt +Actual number of seconds for which the returned credentials will remain valid. Specify \fBNULL\fR if not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 22n +.rt +Mechanism specific status code. +.RE + +.SH ERRORS +.sp +.LP +\fBgss_acquire_cred()\fR may return the following status code: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 29n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_MECH\fR\fR +.ad +.RS 29n +.rt +An unavailable mechanism has been requested. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAMETYPE\fR\fR +.ad +.RS 29n +.rt +The type contained within the \fIdesired_name\fR parameter is not supported. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAME\fR\fR +.ad +.RS 29n +.rt +The value supplied for \fIdesired_name\fR parameter is ill formed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR +.ad +.RS 29n +.rt +The credentials could not be acquired because they have expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CRED\fR\fR +.ad +.RS 29n +.rt +No credentials were found for the specified name. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 29n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_accept_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_inquire_context\fR(3GSS), \fBgss_inquire_cred\fR(3GSS), \fBgss_release_cred\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_add_cred.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_add_cred.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,307 @@ +'\" te +.\" Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved. +.TH gss_add_cred 3GSS "30 Jun 2005" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_add_cred \- add a credential-element to a credential +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_add_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_cred_id_t\fR \fIinput_cred_handle\fR, + \fBconst gss_name_t\fR \fIdesired_name\fR, + \fBconst gss_OID\fR \fIdesired_mech\fR, + \fBgss_cred_usage_t\fR \fIcred_usage\fR, + \fBOM_uint32\fR \fIinitiator_time_req\fR, + \fBOM_uint32\fR \fIacceptor_time_req\fR, + \fBgss_cred_id_t *\fR\fIoutput_cred_handle\fR, + \fBgss_OID_set *\fR\fIactual_mechs\fR, + \fBOM_uint32 *\fR\fIinitiator_time_rec\fR, + \fBOM_uint32 *\fR\fIacceptor_time_rec\fR); +.fi + +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_add_cred()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 22n +.rt +Mechanism specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_cred_handle\fR\fR +.ad +.RS 22n +.rt +Credential to which the credential-element is added. If \fBGSS_C_NO_CREDENTIAL\fR is specified, the function composes the new credential based on default behavior. While the credential-handle is not modified by \fBgss_add_cred()\fR, the underlying credential is modified if \fIoutput_credential_handle\fR is \fBNULL\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIdesired_name\fR\fR +.ad +.RS 22n +.rt +Name of the principal for which a credential should be acquired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIdesired_mech\fR\fR +.ad +.RS 22n +.rt +Underlying security mechanism with which the credential can be used. GSS_C_NULL_OID can be used to obtain a default. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcred_usage\fR\fR +.ad +.RS 22n +.rt +Flag that indicates how a credential is used to initiate or accept security credentials. If the flag is \fBGSS_C_ACCEPT\fR, the credentials are used only to accept security credentials. If the flag is \fBGSS_C_INITIATE\fR, the credentials are used only to initiate security credentials. If the flag is GSS_C_BOTH, the credentials can be used to either initiate or accept security contexts. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinitiator_time_req\fR\fR +.ad +.RS 22n +.rt +Number of seconds that the credential may remain valid for initiating security contexts. This argument is ignored if the composed credentials are of the \fBGSS_C_ACCEPT\fR type. Specify \fBGSS_C_INDEFINITE\fR to request that the credentials have the maximum permitted initiator lifetime. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIacceptor_time_req\fR\fR +.ad +.RS 22n +.rt +Number of seconds that the credential may remain valid for accepting security contexts. This argument is ignored if the composed credentials are of the \fBGSS_C_INITIATE\fR type. Specify \fBGSS_C_INDEFINITE\fR to request that the credentials have the maximum permitted initiator lifetime. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_cred_handle\fR\fR +.ad +.RS 22n +.rt +Returned credential handle that contains the new credential-element and all the credential-elements from \fIinput_cred_handle\fR. If a valid pointer to a \fBgss_cred_id_t\fR is supplied for this parameter, \fBgss_add_cred()\fR creates a new credential handle that contains all credential-elements from \fIinput_cred_handle\fR and the newly acquired credential-element. If \fBNULL\fR is specified for this parameter, the newly acquired credential-element is added to the credential identified by \fIinput_cred_handle\fR. +.sp +The resources associated with any credential handle returned by means of this parameter must be released by the application after use by a call to \fBgss_release_cred\fR(3GSS). +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIactual_mechs\fR\fR +.ad +.RS 22n +.rt +Complete set of mechanisms for which the new credential is valid. Storage for the returned \fBOID\fR-set must be freed by the application after use by a call to \fBgss_release_oid_set\fR(3GSS). Specify \fBNULL\fR if this parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinitiator_time_rec\fR\fR +.ad +.RS 22n +.rt +Actual number of seconds for which the returned credentials remain valid for initiating contexts using the specified mechanism. If a mechanism does not support expiration of credentials, the value \fBGSS_C_INDEFINITE\fR is returned. Specify \fBNULL\fR if this parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIacceptor_time_rec\fR\fR +.ad +.RS 22n +.rt +Actual number of seconds for which the returned credentials remain valid for accepting security contexts using the specified mechanism. If a mechanism does not support expiration of credentials, the value \fBGSS_C_INDEFINITE\fR is returned. Specify \fBNULL\fR if this parameter is not required. +.RE + +.SH DESCRIPTION +.sp +.LP +The \fBgss_add_cred()\fR function adds a credential-element to a credential. The credential-element is identified by the name of the principal to which it refers. This function is not intended as a function to login to the network. A function for login to the network would involve creating new mechanism-specific authentication data, rather than acquiring a handle to existing data. +.sp +.LP +If the value of \fIdesired_name\fR is \fBGSS_C_NO_NAME\fR, the call is interpreted as a request to add a credential-element to invoke default behavior when passed to \fBgss_init_sec_context\fR(3GSS) if the value of \fIcred_usage\fR is \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR. The call is also interpreted as a request to add a credential-element to the invoke default behavior when passed to \fBgss_accept_sec_context\fR(3GSS) if the value of \fIcred_usage\fR is \fBGSS_C_ACCEPT\fR or \fBGSS_C_BOTH\fR. +.sp +.LP +The \fBgss_add_cred()\fR function is expected to be used primarily by context acceptors. The \fBGSS-API\fR provides mechanism-specific ways to obtain \fBGSS-API\fR initiator credentials through the system login process. Consequently, the \fBGSS-API\fR does not support acquiring \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR credentials by means of \fBgss_acquire_cred\fR(3GSS) for any name other than the following: +.RS +4 +.TP +.ie t \(bu +.el o +\fBGSS_C_NO_NAME\fR +.RE +.RS +4 +.TP +.ie t \(bu +.el o +Name produced by \fBgss_inquire_cred\fR(3GSS) applied to a valid credential +.RE +.RS +4 +.TP +.ie t \(bu +.el o +Name produced by \fBgss_inquire_context\fR(3GSS) applied to an active context +.RE +.sp +.LP +If credential acquisition is time consuming for a mechanism, the mechanism can choose to delay the actual acquisition until the credential is required by \fBgss_init_sec_context\fR(3GSS), for example, or by \fBgss_accept_sec_context\fR(3GSS). Such mechanism-specific implementation decisions are invisible to the calling application. A call to \fBgss_inquire_cred\fR(3GSS) immediately following the call \fBgss_add_cred()\fR returns valid credential data as well as incurring the overhead of deferred credential acquisition. +.sp +.LP +The \fBgss_add_cred()\fR function can be used either to compose a new credential that contains all credential-elements of the original in addition to the newly-acquired credential-element. The function can also be used to add the new credential-element to an existing credential. If the value of the \fIoutput_cred_handle\fR parameter is \fBNULL\fR, the new credential-element is added to the credential identified by \fIinput_cred_handle\fR. If a valid pointer is specified for the \fIoutput_cred_handle\fR parameter, a new credential handle is created. +.sp +.LP +If the value of \fIinput_cred_handle\fR is \fBGSS_C_NO_CREDENTIAL\fR, the \fBgss_add_cred()\fR function composes a credential and sets the \fIoutput_cred_handle\fR parameter based on the default behavior. The call has the same effect as a call first made by the application to \fBgss_acquire_cred\fR(3GSS) to specify the same usage and to pass \fBGSS_C_NO_NAME\fR as the \fIdesired_name\fR parameter. Such an application call obtains an explicit credential handle that incorporates the default behaviors, then passes the credential handle to \fBgss_add_cred()\fR, and finally calls \fBgss_release_cred\fR(3GSS) on the first credential handle. +.sp +.LP +If the value of the \fIinput_cred_handle\fR parameter is \fBGSS_C_NO_CREDENTIAL\fR, a non-\fBNULL\fR value must be supplied for the \fIoutput_cred_handle\fR parameter. +.SH RETURN VALUES +.sp +.LP +The \fBgss_add_cred()\fR function can return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 29n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_MECH\fR\fR +.ad +.RS 29n +.rt +An unavailable mechanism has been requested. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAMETYPE\fR\fR +.ad +.RS 29n +.rt +The type contained within the \fIdesired_name\fR parameter is not supported. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAME\fR\fR +.ad +.RS 29n +.rt +The value supplied for \fIdesired_name\fR parameter is ill formed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DUPLICATE_ELEMENT\fR\fR +.ad +.RS 29n +.rt +The credential already contains an element for the requested mechanism that has overlapping usage and validity period. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR +.ad +.RS 29n +.rt +The credentials could not be added because they have expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CRED\fR\fR +.ad +.RS 29n +.rt +No credentials were found for the specified name. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 29n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_accept_sec_context\fR(3GSS), \fBgss_acquire_cred\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_inquire_context\fR(3GSS), \fBgss_inquire_cred\fR(3GSS), \fBgss_release_cred\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBlibgss\fR(3LIB), \fBattributes\fR(5) +.sp +.LP +\fI\fR diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_add_oid_set_member.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_add_oid_set_member.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,109 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_add_oid_set_member 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_add_oid_set_member \- add an object identifier to an object identifier set +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_add_oid_set_member\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_OID\fR \fImember_oid\fR, \fBgss_OID_set *\fR\fIoid_set\fR); +.fi + +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_add_oid_set_member()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +A mechanism specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImember_oid\fR\fR +.ad +.RS 16n +.rt +Object identifier to be copied into the set. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoid_set\fR\fR +.ad +.RS 16n +.rt +Set in which the object identifier should be inserted. +.RE + +.SH DESCRIPTION +.sp +.LP +The \fBgss_add_oid_set_member()\fR function adds an object identifier to an object identifier set. You should use this function in conjunction with \fBgss_create_empty_oid_set\fR(3GSS) when constructing a set of mechanism \fBOID\fRs for input to \fBgss_acquire_cred\fR(3GSS). The \fIoid_set\fR parameter must refer to an \fBOID\fR-set created by \fBGSS-API\fR, that is, a set returned by \fBgss_create_empty_oid_set\fR(3GSS). +.sp +.LP +The \fBGSS-API\fR creates a copy of the \fImember_oid\fR and inserts this copy into the set, expanding the storage allocated to the \fBOID\fR-set elements array, if necessary. New members are always added to the end of the OID set's elements. If the \fImember_oid\fR is already present, the \fIoid_set\fR should remain unchanged. +.SH ERRORS +.sp +.LP +The \fBgss_add_oid_set_member()\fR function can return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.sp .6 +.RS 4n +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.sp .6 +.RS 4n +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_acquire_cred\fR(3GSS), \fBgss_create_empty_oid_set\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_auth_rules.5 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_auth_rules.5 Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,60 @@ +'\" te +.\" Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved +.TH gss_auth_rules 5 "13 Apr 2004" "SunOS 5.12" "Standards, Environments, and Macros" +.SH NAME +gss_auth_rules \- overview of GSS authorization +.SH DESCRIPTION +.sp +.LP +The establishment of the veracity of a user's credentials requires both authentication (Is this an authentic user?) and authorization (Is this authentic user, in fact, authorized?). +.sp +.LP +When a user makes use of Generic Security Services (GSS) versions of the \fBftp\fR or \fBssh\fR clients to connect to a server, the user is not necessarily authorized, even if his claimed GSS identity is authenticated, Authentication merely establishes that the user is who he says he is to the GSS mechanism's authentication system. Authorization is then required: it determines whether the GSS identity is permitted to access the specified Solaris user account. +.sp +.LP +The GSS authorization rules are as follows: +.RS +4 +.TP +.ie t \(bu +.el o +If the mechanism of the connection has a set of authorization rules, then use those rules. For example, if the mechanism is Kerberos, then use the \fBkrb5_auth_rules\fR(5), so that authorization is consistent between raw Kerberos applications and GSS/Kerberos applications. +.RE +.RS +4 +.TP +.ie t \(bu +.el o +If the mechanism of the connection does not have a set of authorization rules, then authorization is successful if the remote user's \fBgssname\fR matches the local user's \fBgssname\fR exactly, as compared by \fBgss_compare_name\fR(3GSS). +.RE +.SH FILES +.sp +.ne 2 +.mk +.na +\fB\fB/etc/passwd\fR\fR +.ad +.RS 15n +.rt +System account file. This information may also be in a directory service. See \fBpasswd\fR(4). +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for a description of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +Interface StabilityCommitted +.TE + +.SH SEE ALSO +.sp +.LP +\fBftp\fR(1), \fBssh\fR(1), \fBgsscred\fR(1M), \fBgss_compare_name\fR(3GSS), \fBpasswd\fR(4), \fBattributes\fR(5), \fBkrb5_auth_rules\fR(5) diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_canonicalize_name.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_canonicalize_name.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,151 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_canonicalize_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_canonicalize_name \- convert an internal name to a mechanism name +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] +#include + +\fBOM_uint32\fR \fBgss_canonicalize_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_name_t\fR \fIinput_name\fR,\fBconst gss_OID\fR \fImech_type\fR, + \fBgss_name_t *\fR\fIoutput_name\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_canonicalize_name()\fR function generates a canonical mechanism name from an arbitrary internal name. The mechanism name is the name that would be returned to a context acceptor on successful authentication of a context where the initiator used the \fIinput_name\fR in a successful call to \fBgss_acquire_cred\fR(3GSS), specifying an OID set containing \fImech_type\fR as its only member, followed by a call to \fBgss_init_sec_context\fR(3GSS), specifying \fImech_type\fR as the authentication mechanism. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_canonicalize_name()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +Mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_name\fR\fR +.ad +.RS 16n +.rt +The name for which a canonical form is desired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImech_type\fR\fR +.ad +.RS 16n +.rt +The authentication mechanism for which the canonical form of the name is desired. The desired mechanism must be specified explicitly; no default is provided. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_name\fR\fR +.ad +.RS 16n +.rt +The resultant canonical name. Storage associated with this name must be freed by the application after use with a call to \fBgss_release_name\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_canonicalize_name()\fR function may return the status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 22n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_MECH\fR\fR +.ad +.RS 22n +.rt +The identified mechanism is not supported. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAMETYPE\fR\fR +.ad +.RS 22n +.rt +The provided internal name contains no elements that could be processed by the specified mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAME\fR\fR +.ad +.RS 22n +.rt +The provided internal name was ill-formed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 22n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_acquire_cred\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_release_name\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_compare_name.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_compare_name.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,143 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_compare_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_compare_name \- compare two internal-form names +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] +#include + +\fBOM_uint32\fR \fBgss_compare_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_name_t\fR \fIname1\fR,\fBconst gss_name_t\fR \fIname2\fR, + \fBint *\fR\fIname_equal\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_compare_name()\fR function allows an application to compare two internal-form names to determine whether they refer to the same entity. +.sp +.LP +If either name presented to \fBgss_compare_name()\fR denotes an anonymous principal, the routines indicate that the two names do not refer to the same identity. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_compare_name()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +Mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIname1\fR\fR +.ad +.RS 16n +.rt +Internal-form name. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIname2\fR\fR +.ad +.RS 16n +.rt +Internal-form name. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIname_equal\fR\fR +.ad +.RS 16n +.rt +If non-zero, the names refer to same entity. If 0, the names refer to different entities. Strictly, the names are not known to refer to the same identity. +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_compare_name()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 22n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAMETYPE\fR\fR +.ad +.RS 22n +.rt +The two names were of incomparable types. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAME\fR\fR +.ad +.RS 22n +.rt +One or both of \fIname1\fR or \fIname2\fR was ill-formed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 22n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_context_time.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_context_time.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,128 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_context_time 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_context_time \- determine how long a context will remain valid +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_context_time\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBgss_ctx_id_t *\fR\fIcontext_handle\fR,\fBOM_uint32 *\fR\fItime_rec\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_context_time()\fR function determines the number of seconds for which the specified context will remain valid. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_context_time()\fR are as follows: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 18n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 18n +.rt +A read-only value. Identifies the context to be interrogated. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fItime_rec\fR\fR +.ad +.RS 18n +.rt +Modifies the number of seconds that the context remains valid. If the context has already expired, returns zero. +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_context_time()\fR function returns one of the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 25n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR +.ad +.RS 25n +.rt +The context has already expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 25n +.rt +The \fIcontext_handle\fR parameter did not identify a valid context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 25n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_init_sec_context\fR(3GSS), \fBgss_accept_sec_context\fR(3GSS), \fBgss_delete_sec_context\fR(3GSS), \fBgss_process_context_token\fR(3GSS), \fBgss_inquire_context\fR(3GSS), \fBgss_wrap_size_limit\fR(3GSS), \fBgss_export_sec_context\fR(3GSS), \fBgss_import_sec_context\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_create_empty_oid_set.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_create_empty_oid_set.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,95 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_create_empty_oid_set 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_create_empty_oid_set \- create an object-identifier set containing no object identifiers +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_create_empty_oid_set\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBgss_OID_set *\fR\fIoid_set\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_create_empty_oid_set()\fR function creates an object-identifier set containing no object identifiers to which members may be subsequently added using the \fBgss_add_oid_set_member\fR(3GSS) function. These functions can be used to construct sets of mechanism object identifiers for input to \fBgss_acquire_cred\fR(3GSS). +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_create_empty_oid_set()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +Mechanism-specific status code +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoid_set\fR\fR +.ad +.RS 16n +.rt +Empty object identifier set. The function will allocate the \fBgss_OID_set_desc\fR object, which the application must free after use with a call to \fBgss_release_oid_set\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_create_empty_oid_set()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 18n +.rt +Successful completion +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 18n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_acquire_cred\fR(3GSS), \fBgss_add_oid_set_member\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_delete_sec_context.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_delete_sec_context.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,123 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_delete_sec_context 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_delete_sec_context \- delete a GSS-API security context +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_delete_sec_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBgss_ctx_id_t *\fR\fIcontext_handle\fR,\fBgss_buffer_t\fR \fIoutput_token\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +Use the \fBgss_delete_sec_context()\fR function to delete a security context. The \fBgss_delete_sec_context()\fR function will delete the local data structures associated with the specified security context. You may not obtain further security services that use the context specified by \fIcontext_handle\fR. +.sp +.LP +In addition to deleting established security contexts, \fBgss_delete_sec_context()\fR will delete any half-built security contexts that result from incomplete sequences of calls to \fBgss_init_sec_context\fR(3GSS) and \fBgss_accept_sec_context\fR(3GSS). +.sp +.LP +The Solaris implementation of the \fBGSS-API\fR retains the \fIoutput_token\fR parameter for compatibility with version 1 of the \fBGSS-API\fR. Both peer applications should invoke \fBgss_delete_sec_context()\fR, passing the value \fBGSS_C_NO_BUFFER\fR to the \fIoutput_token\fR parameter; this indicates that no token is required. If the application passes a valid buffer to \fBgss_delete_sec_context()\fR, it will return a zero-length token, indicating that no token should be transferred by the application. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_delete_sec_context()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 18n +.rt +A mechanism specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 18n +.rt +Context handle identifying specific context to delete. After deleting the context, the \fBGSS-API\fR will set \fIcontext_handle\fR to \fBGSS_C_NO_CONTEXT\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_token\fR\fR +.ad +.RS 18n +.rt +A token to be sent to remote applications that instructs them to delete the context. +.RE + +.SH ERRORS +.sp +.LP +\fBgss_delete_sec_context()\fR may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 20n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 20n +.rt +No valid context was supplied. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 20n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_accept_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_display_name.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_display_name.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,135 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_display_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_display_name \- convert internal-form name to text +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] +#include + +\fBOM_uint32\fR \fBgss_display_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_name_t\fR \fIinput_name\fR,\ \fBgss_buffer_t\fR \fIoutput_name_buffer\fR, + \fBgss_OID *\fR\fIoutput_name_type\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_display_name()\fR function allows an application to obtain a textual representation of an opaque internal-form name for display purposes. +.sp +.LP +If \fIinput_name\fR denotes an anonymous principal, the \fBGSS-API\fR returns the \fBgss_OID\fR value \fBGSS_C_NT_ANONYMOUS\fR as the \fIoutput_name_type\fR, and a textual name that is syntactically distinct from all valid supported printable names in \fIoutput_name_buffer\fR. +.sp +.LP +If \fIinput_name\fR was created by a call to \fBgss_import_name\fR(3GSS), specifying \fBGSS_C_NO_OID\fR as the name-type, the GSS-API returns \fBGSS_C_NO_OID\fR by means of the \fIoutput_name_type\fR parameter. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_display_name()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 22n +.rt +Mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_name\fR\fR +.ad +.RS 22n +.rt +Name in internal form. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_name_buffer\fR\fR +.ad +.RS 22n +.rt +Buffer to receive textual name string. The application must free storage associated with this name after use with a call to \fBgss_release_buffer\fR(3GSS). +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_name_type\fR\fR +.ad +.RS 22n +.rt +The type of the returned name. The returned \fBgss_OID\fR will be a pointer into static storage and should be treated as read-only by the caller. In particular, the application should not attempt to free it. Specify \fINULL\fR if this parameter is not required. +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_display_name()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 18n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAME\fR\fR +.ad +.RS 18n +.rt +The \fIinput_name\fR was ill-formed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 18n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_import_name\fR(3GSS), \fBgss_release_buffer\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_display_status.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_display_status.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,169 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_display_status 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_display_status \- convert a GSS-API status code to text +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_display_status\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBOM_uint32\fR \fIstatus value\fR,\fBint\fR \fIstatus type\fR, + \fBconst gss_OID\fR \fImech_type\fR, \fBOM_uint32 *\fR\fImessage_context\fR, + \fBgss_buffer_t\fR \fIstatus string\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_display_status()\fR function enables an application to obtain a textual representation of a \fBGSS-API\fR status code for display to the user or for logging purposes. Because some status values may indicate multiple conditions, applications may need to call \fBgss_display_status()\fR multiple times, with each call generating a single text string. +.sp +.LP +The \fImessage_context\fR parameter is used by \fBgss_acquire_cred()\fR to store state information on error messages that are extracted from a given \fIstatus_value\fR. The \fImessage_context\fR parameter must be initialized to 0 by the application prior to the first call, and \fBgss_display_status()\fR will return a non-zero value in this parameter if there are further messages to extract. +.sp +.LP +The \fImessage_context\fR parameter contains all state information required by \fBgss_display_status()\fR to extract further messages from the \fIstatus_value\fR. If a non-zero value is returned in this parameter, the application is not required to call \fBgss_display_status()\fR again unless subsequent messages are desired. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_display_status()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 19n +.rt +Status code returned by the underlying mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIstatus_value\fR\fR +.ad +.RS 19n +.rt +Status value to be converted. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIstatus_type\fR\fR +.ad +.RS 19n +.rt +If the value is \fBGSS_C_GSS_CODE\fR, \fIstatus_value\fR is a \fBGSS-API\fR status code. If the value is \fBGSS_C_MECH_CODE\fR, then \fIstatus_value\fR is a mechanism status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImech_type\fR\fR +.ad +.RS 19n +.rt +Underlying mechanism that is used to interpret a minor status value. Supply \fBGSS_C_NO_OID\fR to obtain the system default. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImessage_context\fR\fR +.ad +.RS 19n +.rt +Should be initialized to zero prior to the first call. On return from \fBgss_display_status()\fR, a non-zero \fIstatus_value\fR parameter indicates that additional messages may be extracted from the status code by means of subsequent calls to \fBgss_display_status()\fR, passing the same \fIstatus_value\fR, \fIstatus_type\fR, \fImech_type\fR, and \fImessage_context\fRparameters. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIstatus_string\fR\fR +.ad +.RS 19n +.rt +Textual representation of the \fIstatus_value\fR. Storage associated with this parameter must be freed by the application after use with a call to \fBgss_release_buffer\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_display_status()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 20n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_MECH\fR\fR +.ad +.RS 20n +.rt +Indicates that translation in accordance with an unsupported mechanism type was requested. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_STATUS\fR\fR +.ad +.RS 20n +.rt +The status value was not recognized, or the status type was neither \fBGSS_C_GSS_CODE\fR nor \fBGSS_C_MECH_CODE\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 20n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_acquire_cred\fR(3GSS), \fBgss_release_buffer\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_duplicate_name.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_duplicate_name.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,117 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_duplicate_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_duplicate_name \- create a copy of an internal name +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] +#include + +\fBOM_uint32\fR \fBgss_duplicate_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_name_t\fR \fIsrc_name\fR,\fBgss_name_t *\fR\fIdest_name\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_duplicate_name()\fR function creates an exact duplicate of the existing internal name \fIsrc_name\fR. The new \fIdest_name\fR will be independent of the \fIsrc_name\fR. The \fIsrc_name\fR and \fIdest_name\fR must both be released, and the release of one does not affect the validity of the other. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_duplicate_name()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIsrc_name\fR\fR +.ad +.RS 16n +.rt +Internal name to be duplicated. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIdest_name\fR\fR +.ad +.RS 16n +.rt +The resultant copy of \fIsrc_name\fR. Storage associated with this name must be freed by the application after use with a call to \fBgss_release_name\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_duplicate_name()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 18n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAME\fR\fR +.ad +.RS 18n +.rt +The \fIsrc_name\fR parameter was ill-formed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 18n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_release_name\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_export_name.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_export_name.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,117 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_export_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_export_name \- convert a mechanism name to export form +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] +#include + +\fBOM_uint32\fR \fBgss_export_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_name_t\fR \fIinput_name\fR,\fBgss_buffer_t\fR \fIexported_name\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_export_name()\fR function allows a \fBGSS-API\fR internal name to be converted into a mechanism-specific name. The function produces a canonical contiguous string representation of a mechanism name, suitable for direct comparison, with \fBmemory\fR(3C), or for use in authorization functions, matching entries in an access-control list. The \fIinput_name\fR parameter must specify a valid mechanism name, that is, an internal name generated by \fBgss_accept_sec_context\fR(3GSS) or by \fBgss_canonicalize_name\fR(3GSS). +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_export_name()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 17n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_name\fR\fR +.ad +.RS 17n +.rt +The mechanism name to be exported. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIexported_name\fR\fR +.ad +.RS 17n +.rt +The canonical contiguous string form of \fIinput_name\fR. Storage associated with this string must freed by the application after use with \fBgss_release_buffer\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_export_name()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 21n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NAME_NOT_MN\fR\fR +.ad +.RS 21n +.rt +The provided internal name was not a mechanism name. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 21n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_accept_sec_context\fR(3GSS), \fBgss_canonicalize_name\fR(3GSS), \fBgss_release_buffer\fR(3GSS)\fBmemory\fR(3C), \fBattributes\fR(5) +.sp +.LP +\fI\fR diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_export_sec_context.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_export_sec_context.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,148 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_export_sec_context 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_export_sec_context \- transfer a security context to another process +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_export_sec_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBgss_ctx_id_t *\fR\fIcontext_handle\fR,\fBgss_buffer_t\fR \fIinterprocess_token\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_export_sec_context()\fR function generates an interprocess token for transfer to another process within an end system. \fBgss_export_sec_context()\fR and \fBgss_import_sec_context()\fR allow a security context to be transferred between processes on a single machine. +.sp +.LP +The \fBgss_export_sec_context()\fR function supports the sharing of work between multiple processes. This routine is typically used by the context-acceptor, in an application where a single process receives incoming connection requests and accepts security contexts over them, then passes the established context to one or more other processes for message exchange. \fBgss_export_sec_context()\fR deactivates the security context for the calling process and creates an interprocess token which, when passed to \fBgss_import_sec_context()\fR in another process, reactivates the context in the second process. Only a single instantiation of a given context can be active at any one time; a subsequent attempt by a context exporter to access the exported security context will fail. +.sp +.LP +The interprocess token may contain security-sensitive information, for example cryptographic keys. While mechanisms are encouraged to either avoid placing such sensitive information within interprocess tokens or to encrypt the token before returning it to the application, in a typical object-library \fBGSS-API\fR implementation, this might not be possible. Thus, the application must take care to protect the interprocess token and ensure that any process to which the token is transferred is trustworthy. If creation of the interprocess token is successful, the \fBGSS-API\fR deallocates all process-wide resources associated with the security context and sets the context_handle to \fBGSS_C_NO_CONTEXT\fR. In the event of an error that makes it impossible to complete the export of the security context, the function does not return an interprocess token and leaves the security context referenced by the \fIcontext_handle\fR parameter untouched. +.sp +.LP +Sun's implementation of \fBgss_export_sec_context()\fR does not encrypt the interprocess token. The interprocess token is serialized before it is transferred to another process. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_export_sec_context()\fR are as follows: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 22n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 22n +.rt +Context handle identifying the context to transfer. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinterprocess_token\fR\fR +.ad +.RS 22n +.rt +Token to be transferred to target process. Storage associated with this token must be freed by the application after use with a call to \fBgss_release_buffer\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +\fBgss_export_sec_context()\fR returns one of the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 25n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR +.ad +.RS 25n +.rt +The context has expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 25n +.rt +The context was invalid. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_UNAVAILABLE\fR\fR +.ad +.RS 25n +.rt +The operation is not supported. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 25n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_accept_sec_context\fR(3GSS), \fBgss_import_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_release_buffer\fR(3GSS), \fBattributes\fR(5) +.sp +.LP +\fI\fR diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_get_mic.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_get_mic.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,165 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_get_mic 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_get_mic \- calculate a cryptographic message +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_get_mic\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR, \fBgss_qop_t\fR \fIqop_req\fR, + \fBconst gss_buffer_t\fR \fImessage_buffer\fR, \fBgss_buffer_t\fR \fImsg_token\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_get_mic()\fR function generates a cryptographic \fBMIC\fR for the supplied message, and places the \fBMIC\fR in a token for transfer to the peer application. The \fIqop_req\fR parameter allows a choice between several cryptographic algorithms, if supported by the chosen mechanism. +.sp +.LP +Since some application-level protocols may wish to use tokens emitted by \fBgss_wrap\fR(3GSS) to provide secure framing, the \fBGSS-API\fR allows \fBMIC\fRs to be derived from zero-length messages. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_get_mic()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 18n +.rt +The status code returned by the underlying mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 18n +.rt +Identifies the context on which the message will be sent. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIqop_req\fR\fR +.ad +.RS 18n +.rt +Specifies the requested quality of protection. Callers are encouraged, on portability grounds, to accept the default quality of protection offered by the chosen mechanism, which may be requested by specifying \fBGSS_C_QOP_DEFAULT\fR for this parameter. If an unsupported protection strength is requested, \fBgss_get_mic()\fR will return a \fImajor_status\fR of \fBGSS_S_BAD_QOP\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImessage_buffer\fR\fR +.ad +.RS 18n +.rt +The message to be protected. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImsg_token\fR\fR +.ad +.RS 18n +.rt +The buffer to receive the token. Storage associated with this message must be freed by the application after use with a call to \fBgss_release_buffer\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +\fBgss_get_mic()\fR may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 25n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR +.ad +.RS 25n +.rt +The context has already expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 25n +.rt +The \fIcontext_handle\fR parameter did not identify a valid context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_QOP\fR\fR +.ad +.RS 25n +.rt +The specified \fBQOP\fR is not supported by the mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 25n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_release_buffer\fR(3GSS), \fBgss_wrap\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_import_name.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_import_name.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,151 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_import_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_import_name \- convert a contiguous string name to GSS_API internal format +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] +#include + +\fBOM_uint32\fR \fBgss_import_name\fR(\fBOM_uint32 *\fR \fIminor_status\fR, + \fBconst gss_buffer_t\fR \fIinput_name_buffer\fR, \fBconst gss_OID\fR \fIinput_name_type\fR, + \fBgss_name_t *\fR\fIoutput_name\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_import_name()\fR function converts a contiguous string name to internal form. In general, the internal name returned by means of the \fIoutput_name\fR parameter will not be a mechanism name; the exception to this is if the \fIinput_name_type\fR indicates that the contiguous string provided by means of the \fIinput_name_buffer\fR parameter is of type \fBGSS_C_NT_EXPORT_NAME\fR, in which case, the returned internal name will be a mechanism name for the mechanism that exported the name. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_import_name()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 21n +.rt +Status code returned by the underlying mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_name_buffer\fR\fR +.ad +.RS 21n +.rt +The \fBgss_buffer_desc\fR structure containing the name to be imported. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_name_type\fR\fR +.ad +.RS 21n +.rt +A \fBgss_OID\fR that specifies the format that the \fIinput_name_buffer\fR is in. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_name\fR\fR +.ad +.RS 21n +.rt +The \fBgss_name_t\fR structure to receive the returned name in internal form. Storage associated with this name must be freed by the application after use with a call to \fBgss_release_name()\fR. +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_import_name()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 22n +.rt +The \fBgss_import_name()\fR function completed successfully. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAMETYPE\fR\fR +.ad +.RS 22n +.rt +The \fIinput_name_type\fR was unrecognized. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAME\fR\fR +.ad +.RS 22n +.rt +The \fIinput_name\fR parameter could not be interpreted as a name of the specified type. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_MECH\fR\fR +.ad +.RS 22n +.rt +The \fIinput_name_type\fR was \fBGSS_C_NT_EXPORT_NAME\fR, but the mechanism contained within the \fIinput_name\fR is not supported. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 22n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_release_buffer\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_import_sec_context.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_import_sec_context.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,150 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_import_sec_context 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_import_sec_context \- import security context established by another process +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_import_sec_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_buffer_t\fR \fIinterprocess_token\fR,\fBgss_ctx_id_t *\fR\fIcontext_handle\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_import_sec_context()\fR function allows a process to import a security context established by another process. A given interprocess token can be imported only once. See \fBgss_export_sec_context\fR(3GSS). +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_import_sec_context()\fR are as follows: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 22n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinterprocess_token\fR\fR +.ad +.RS 22n +.rt +Token received from exporting process. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 22n +.rt +Context handle of newly reactivated context. Resources associated with this context handle must be released by the application after use with a call to \fBgss_delete_sec_context\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +\fBgss_import_sec_context()\fR returns one of the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 25n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 25n +.rt +The token did not contain a valid context reference. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token was invalid. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_UNAVAILABLE\fR\fR +.ad +.RS 25n +.rt +The operation is unavailable. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_UNAUTHORIZED\fR\fR +.ad +.RS 25n +.rt +Local policy prevents the import of this context by the current process. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 25n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_accept_sec_context\fR(3GSS), \fBgss_context_time\fR(3GSS), \fBgss_delete_sec_context\fR(3GSS), \fBgss_export_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_inquire_context\fR(3GSS), \fBgss_process_context_token\fR(3GSS), \fBgss_wrap_size_limit\fR(3GSS), \fBattributes\fR(5) +.sp +.LP +\fI\fR diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_indicate_mechs.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_indicate_mechs.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,95 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_indicate_mechs 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_indicate_mechs \- determine available security mechanisms +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_indicate_mechs\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBgss_OID_set *\fR\fImech_set\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_indicate_mechs()\fR function enables an application to determine available underlying security mechanisms. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_indicate_mechs()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImech_set\fR\fR +.ad +.RS 16n +.rt +Set of supported mechanisms. The returned \fBgss_OID_set\fR value will be a dynamically-allocated \fBOID\fR set that should be released by the caller after use with a call to \fBgss_release_oid_set\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_indicate_mechs()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 18n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 18n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_init_sec_context.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_init_sec_context.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,637 @@ +'\" te +.\" Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved. +.TH gss_init_sec_context 3GSS "6 Nov 2009" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_init_sec_context \- initiate a GSS-API security context with a peer application +.SH SYNOPSIS +.LP +.nf +cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lgss\fR [ \fIlibrary\fR\&.\|.\|. ] +#include + +\fBOM_uint32\fR \fBgss_init_sec_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_cred_id_t\fR \fIinitiator_cred_handle\fR, + \fBgss_ctx_id_t *\fR\fIcontext_handle\fR, \fBconst gss_name_t *\fR\fItarget_name\fR, + \fBconst gss_OID\fR \fImech_type\fR, \fBOM_uint32\fR \fIreq_flags\fR, + \fBOM_uint32\fR \fItime_req\fR, \fBconst gss_channel_bindings_t\fR \fIinput_chan_bindings\fR, + \fBconst gss_buffer_t\fR \fIinput_token\fR, \fBgss_OID *\fR\fIactual_mech_type\fR, + \fBgss_buffer_t\fR \fIoutput_token\fR, \fBOM_uint32 *\fR\fIret_flags\fR, + \fBOM_uint32 *\fR\fItime_rec\fR); +.fi + +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_init_sec_context()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.sp .6 +.RS 4n +A mechanism specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinitiator_cred_handle\fR\fR +.ad +.sp .6 +.RS 4n +The handle for the credentials claimed. Supply \fBGSS_C_NO_CREDENTIAL\fR to act as a default initiator principal. If no default initiator is defined, the function returns \fBGSS_S_NO_CRED\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.sp .6 +.RS 4n +The context handle for a new context. Supply the value \fBGSS_C_NO_CONTEXT\fR for the first call, and use the value returned in any continuation calls. The resources associated with \fIcontext_handle\fR must be released by the application after use by a call to \fBgss_delete_sec_context\fR(3GSS). +.RE + +.sp +.ne 2 +.mk +.na +\fB\fItarget_name\fR\fR +.ad +.sp .6 +.RS 4n +The name of the context acceptor. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImech_type\fR\fR +.ad +.sp .6 +.RS 4n +The object \fBID\fR of the desired mechanism. To obtain a specific default, supply the value \fBGSS_C_NO_OID\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIreq_flags\fR\fR +.ad +.sp .6 +.RS 4n +Contains independent flags, each of which will request that the context support a specific service option. A symbolic name is provided for each flag. Logically-\fBOR\fR the symbolic name to the corresponding required flag to form the bit-mask value. \fIreq_flags\fR may contain one of the following values: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_DELEG_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, delegate credentials to a remote peer. Do not delegate the credentials if the value is false. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_MUTUAL_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, request that the peer authenticate itself. If false, authenticate to the remote peer only. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_REPLAY_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, enable replay detection for messages protected with \fBgss_wrap\fR(3GSS) or \fBgss_get_mic\fR(3GSS). Do not attempt to detect replayed messages if false. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_SEQUENCE_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, enable detection of out-of-sequence protected messages. Do not attempt to detect out-of-sequence messages if false. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_CONF_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, request that confidential service be made available by means of \fBgss_wrap\fR(3GSS). If false, no per-message confidential service is required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_INTEG_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, request that integrity service be made available by means of \fBgss_wrap\fR(3GSS) or \fBgss_get_mic\fR(3GSS). If false, no per-message integrity service is required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_ANON_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, do not reveal the initiator's identify to the acceptor. If false, authenticate normally. +.RE + +.RE + +.sp +.ne 2 +.mk +.na +\fB\fItime_req\fR\fR +.ad +.sp .6 +.RS 4n +The number of seconds for which the context will remain valid. Supply a zero value to \fItime_req\fR to request a default validity period. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_chan_bindings\fR\fR +.ad +.sp .6 +.RS 4n +Optional application-specified bindings. Allows application to securely bind channel identification information to the security context. Set to \fBGSS_C_NO_CHANNEL_BINDINGS\fR if you do not want to use channel bindings. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_token\fR\fR +.ad +.sp .6 +.RS 4n +Token received from the peer application. On the initial call, supply \fBGSS_C_NO_BUFFER\fR or a pointer to a buffer containing the value \fBGSS_C_EMPTY_BUFFER\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIactual_mech_type\fR\fR +.ad +.sp .6 +.RS 4n +The actual mechanism used. The \fBOID\fR returned by means of this parameter will be pointer to static storage that should be treated as read-only. The application should not attempt to free it. To obtain a specific default, supply the value \fBGSS_C_NO_OID\fR. Specify \fBNULL\fR if the parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_token\fR\fR +.ad +.sp .6 +.RS 4n +The token to send to the peer application. If the length field of the returned buffer is zero, no token need be sent to the peer application. After use storage associated with this buffer must be freed by the application by a call to \fBgss_release_buffer\fR(3GSS). +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIret_flags\fR\fR +.ad +.sp .6 +.RS 4n +Contains various independent flags, each of which indicates that the context supports a specific service option. If not needed, specify \fBNULL\fR. Test the returned bit-mask \fIret_flags\fR value against its symbolic name to determine if the given option is supported by the context. \fIret_flags\fR may contain one of the following values: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_DELEG_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, credentials were delegated to the remote peer. If false, no credentials were delegated. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_MUTUAL_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, the remote peer authenticated itself. If false, the remote peer did not authenticate itself. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_REPLAY_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, replay of protected messages will be detected. If false, replayed messages will not be detected. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_SEQUENCE_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, out of sequence protected messages will be detected. If false, they will not be detected. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_CONF_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, confidential service may be invoked by calling the \fBgss_wrap()\fR routine. If false, no confidentiality service is available by means of \fBgss_wrap\fR(3GSS). \fBgss_wrap()\fR will provide message encapsulation, data-origin authentication and integrity services only. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_INTEG_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, integrity service may be invoked by calling either the \fBgss_wrap\fR(3GSS) or \fBgss_get_mic\fR(3GSS) routine. If false, per-message integrity service is not available. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_ANON_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, the initiator's identity has not been revealed; it will not be revealed if any emitted token is passed to the acceptor. If false, the initiator has been or will be authenticated normally. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_PROT_READY_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, the protection services specified by the states of \fBGSS_C_CONF_FLAG\fR and \fBGSS_C_INTEG_FLAG\fR are available if the accompanying major status return value is either \fBGSS_S_COMPLETE\fR or \fBGSS_S_CONTINUE_NEEDED\fR. If false, the protection services are available only if the accompanying major status return value is \fBGSS_S_COMPLETE\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_TRANS_FLAG\fR\fR +.ad +.sp .6 +.RS 4n +If true, the resultant security context may be transferred to other processes by means of a call to \fBgss_export_sec_context\fR(3GSS). If false, the security context cannot be transferred. +.RE + +.RE + +.sp +.ne 2 +.mk +.na +\fB\fItime_rec\fR\fR +.ad +.sp .6 +.RS 4n +The number of seconds for which the context will remain valid. Specify \fBNULL\fR if the parameter is not required. +.RE + +.SH DESCRIPTION +.sp +.LP +The \fBgss_init_sec_context()\fR function initiates the establishment of a security context between the application and a remote peer. Initially, the \fIinput_token\fR parameter should be specified either as \fBGSS_C_NO_BUFFER\fR, or as a pointer to a \fBgss_buffer_desc\fR object with a \fBlength\fR field that contains a zero value. The routine may return a \fIoutput_token\fR, which should be transferred to the peer application, which will present it to \fBgss_accept_sec_context\fR(3GSS). If no token need be sent, \fBgss_init_sec_context()\fR will indicate this by setting the \fBlength\fR field of the \fIoutput_token\fR argument to zero. To complete context establishment, one or more reply tokens may be required from the peer application; if so, \fBgss_init_sec_context()\fR will return a status code that contains the supplementary information bit \fBGSS_S_CONTINUE_NEEDED\fR. In this case, make another call to \fBgss_init_sec_context()\fR when the reply token is received from the peer application and pass the reply token to \fBgss_init_sec_context()\fR by means of the \fIinput_token\fR parameter. +.sp +.LP +Construct portable applications to use the token length and return status to determine whether to send or wait for a token. +.sp +.LP +Whenever the routine returns a major status that includes the value \fBGSS_S_CONTINUE_NEEDED\fR, the context is not fully established, and the following restrictions apply to the output parameters: +.RS +4 +.TP +.ie t \(bu +.el o +The value returned by means of the \fItime_rec\fR parameter is undefined. Unless the accompanying \fIret_flags\fR parameter contains the bit \fBGSS_C_PROT_READY_FLAG\fR, which indicates that per-message services may be applied in advance of a successful completion status, the value returned by means of the \fIactual_mech_type\fR parameter is undefined until the routine returns a major status value of \fBGSS_S_COMPLETE\fR. +.RE +.RS +4 +.TP +.ie t \(bu +.el o +The values of the \fBGSS_C_DELEG_FLAG\fR, \fBGSS_C_MUTUAL_FLAG\fR, \fBGSS_C_REPLAY_FLAG\fR, \fBGSS_C_SEQUENCE_FLAG\fR, \fBGSS_C_CONF_FLAG\fR, \fBGSS_C_INTEG_FLAG\fR and \fBGSS_C_ANON_FLAG\fR bits returned by the \fIret_flags\fR parameter contain values that will be valid if context establishment succeeds. For example, if the application requests a service such as delegation or anonymous authentication by means of the \fIreq_flags\fR argument, and the service is unavailable from the underlying mechanism, \fBgss_init_sec_context()\fR generates a token that will not provide the service, and it indicate by means of the \fIret_flags\fR argument that the service will not be supported. The application may choose to abort context establishment by calling \fBgss_delete_sec_context\fR(3GSS) if it cannot continue without the service, or if the service was merely desired but not mandatory, it may transmit the token and continue context establishment. +.RE +.RS +4 +.TP +.ie t \(bu +.el o +The values of the \fBGSS_C_PROT_READY_FLAG\fR and \fBGSS_C_TRANS_FLAG\fR bits within \fIret_flags\fR indicate the actual state at the time \fBgss_init_sec_context()\fR returns, whether or not the context is fully established. +.RE +.RS +4 +.TP +.ie t \(bu +.el o +The \fBGSS-API\fR sets the \fBGSS_C_PROT_READY_FLAG\fR in the final \fIret_flags\fR returned to a caller, for example, when accompanied by a \fBGSS_S_COMPLETE\fR status code. However, applications should not rely on this behavior, as the flag was not defined in Version 1 of the \fBGSS-API\fR. Instead, applications should determine what per-message services are available after a successful context establishment according to the \fBGSS_C_INTEG_FLAG\fR and \fBGSS_C_CONF_FLAG\fR values. +.RE +.RS +4 +.TP +.ie t \(bu +.el o +All other bits within the \fIret_flags\fR argument are set to zero. +.RE +.sp +.LP +If the initial call of \fBgss_init_sec_context()\fR fails, the \fBGSS-API\fR does not create a context object; it leaves the value of the \fIcontext_handle\fR parameter set to \fBGSS_C_NO_CONTEXT\fR to indicate this. In the event of failure on a subsequent call, the \fBGSS-API\fR leaves the security context untouched for the application to delete using \fBgss_delete_sec_context\fR(3GSS). +.sp +.LP +During context establishment, the informational status bits \fBGSS_S_OLD_TOKEN\fR and \fBGSS_S_DUPLICATE_TOKEN\fR indicate fatal errors, and \fBGSS-API\fR mechanisms should always return them in association with a status code of \fBGSS_S_FAILURE\fR. This pairing requirement was not part of Version 1 of the GSS-API specification, so applications that wish to run on Version 1 implementations must special-case these codes. +.SH ERRORS +.sp +.LP +\fBgss_init_sec_context()\fR may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.sp .6 +.RS 4n +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CONTINUE_NEEDED\fR\fR +.ad +.sp .6 +.RS 4n +A token from the peer application is required to complete the context, and \fBgss_init_sec_context()\fR must be called again with that token. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR +.ad +.sp .6 +.RS 4n +Consistency checks performed on the \fIinput_token\fR failed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DEFECTIVE_CREDENTIAL\fR\fR +.ad +.sp .6 +.RS 4n +Consistency checks performed on the credential failed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CRED\fR\fR +.ad +.sp .6 +.RS 4n +The supplied credentials are not valid for context acceptance, or the credential handle does not reference any credentials. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR +.ad +.sp .6 +.RS 4n +The referenced credentials have expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_BINDINGS\fR\fR +.ad +.sp .6 +.RS 4n +The \fIinput_token\fR contains different channel bindings than those specified by means of the \fIinput_chan_bindings\fR parameter. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_SIG\fR\fR +.ad +.sp .6 +.RS 4n +The \fIinput_token\fR contains an invalid \fBMIC\fR or a \fBMIC\fR that cannot be verified. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_OLD_TOKEN\fR\fR +.ad +.sp .6 +.RS 4n +The \fIinput_token\fR is too old. This is a fatal error while establishing context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DUPLICATE_TOKEN\fR\fR +.ad +.sp .6 +.RS 4n +The \fIinput_token\fR is valid, but it is a duplicate of a token already processed. This is a fatal error while establishing context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.sp .6 +.RS 4n +The supplied context handle does not refer to a valid context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAMETYPE\fR\fR +.ad +.sp .6 +.RS 4n +The provided \fItarget_name\fR parameter contains an invalid or unsupported \fIname\fR type. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAME\fR\fR +.ad +.sp .6 +.RS 4n +The supplied \fItarget_name\fR parameter is ill-formed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_MECH\fR\fR +.ad +.sp .6 +.RS 4n +The token received specifies a mechanism that is not supported by the implementation or the provided credential. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.sp .6 +.RS 4n +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH EXAMPLES +.LP +\fBExample 1 \fRInvoking \fBgss_init_sec_context()\fR Within a Loop +.sp +.LP +A typical portable caller should always invoke \fBgss_init_sec_context()\fR within a loop: + +.sp +.in +2 +.nf +int context_established = 0; +gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; + ... +input_token->length = 0; + +while (!context_established) { + maj_stat = gss_init_sec_context(&min_stat, + cred_hdl, + &context_hdl, + target_name, + desired_mech, + desired_services, + desired_time, + input_bindings, + input_token, + &actual_mech, + output_token, + &actual_services, + &actual_time); + if (GSS_ERROR(maj_stat)) { + report_error(maj_stat, min_stat); + }; + + if (output_token->length != 0) { + send_token_to_peer(output_token); + gss_release_buffer(&min_stat, output_token) + }; + if (GSS_ERROR(maj_stat)) { + + if (context_hdl != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min_stat, + &context_hdl, + GSS_C_NO_BUFFER); + break; + }; + if (maj_stat & GSS_S_CONTINUE_NEEDED) { + receive_token_from_peer(input_token); + } else { + context_established = 1; + }; +}; +.fi +.in -2 + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_delete_sec_context\fR(3GSS), \fBgss_export_sec_context\fR(3GSS), \fBgss_get_mic\fR(3GSS), \fBgss_wrap\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_inquire_context.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_inquire_context.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,285 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_inquire_context 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_inquire_context \- obtain information about a security context +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_inquire_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR,\fBgss_name_t *\fR\fIsrc_name\fR, + \fBgss_name_t *\fR\fItarg_name\fR, \fBOM_uint32 *\fR\fIlifetime_rec\fR, + \fBgss_OID *\fR\fImech_type\fR, \fBOM_uint32 *\fR\fIctx_flags\fR, + \fBint *\fR\fIlocally_initiated\fR, \fBint *\fR\fIopen\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_inquire_context()\fR function obtains information about a security context. The caller must already have obtained a handle that refers to the context, although the context need not be fully established. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_inquire_context()\fR are as follows: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 21n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 21n +.rt +A handle that refers to the security context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIsrc_name\fR\fR +.ad +.RS 21n +.rt +The name of the context initiator. If the context was established using anonymous authentication, and if the application invoking \fBgss_inquire_context()\fR is the context acceptor, an anonymous name is returned. Storage associated with this name must be freed by the application after use with a call to \fBgss_release_name()\fR. Specify \fBNULL\fR if the parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fItarg_name\fR\fR +.ad +.RS 21n +.rt +The name of the context acceptor. Storage associated with this name must be freed by the application after use with a call to \fBgss_release_name()\fR. If the context acceptor did not authenticate itself, and if the initiator did not specify a target name in its call to \fBgss_init_sec_context()\fR, the value \fBGSS_C_NO_NAME\fR is returned. Specify \fBNULL\fR if the parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIlifetime_rec\fR\fR +.ad +.RS 21n +.rt +The number of seconds for which the context will remain valid. If the context has expired, this parameter will be set to zero. Specify \fBNULL\fR if the parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImech_type\fR\fR +.ad +.RS 21n +.rt +The security mechanism providing the context. The returned \fBOID\fR is a pointer to static storage that should be treated as read-only by the application; in particular, the application should not attempt to free it. Specify \fBNULL\fR if the parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIctx_flags\fR\fR +.ad +.RS 21n +.rt +Contains various independent flags, each of which indicates that the context supports (or is expected to support, if \fBctx_open\fR is false) a specific service option. If not needed, specify \fBNULL\fR. Symbolic names are provided for each flag, and the symbolic names corresponding to the required flags should be logically \fBAND\fRed with the \fBret_flags\fR value to test whether a given option is supported by the context. The flags are: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_DELEG_FLAG\fR\fR +.ad +.RS 25n +.rt +If true, credentials were delegated from the initiator to the acceptor. If false, no credentials were delegated. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_MUTUAL_FLAG\fR\fR +.ad +.RS 25n +.rt +If true, the acceptor was authenticated to the initiator. If false, the acceptor did not authenticate itself. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_REPLAY_FLAG\fR\fR +.ad +.RS 25n +.rt +If true, the replay of protected messages will be detected. If false, replayed messages will not be detected. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_SEQUENCE_FLAG\fR\fR +.ad +.RS 25n +.rt +If true, out-of-sequence protected messages will be detected. If false, out-of-sequence messages will not be detected. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_CONF_FLAG\fR\fR +.ad +.RS 25n +.rt +If true, confidential service may be invoked by calling the \fBgss_wrap\fR(3GSS) routine. If false, no confidential service is available through \fBgss_wrap()\fR. \fBgss_wrap()\fR provides message encapsulation, data-origin authentication, and integrity services only. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_INTEG_FLAG\fR\fR +.ad +.RS 25n +.rt +If true, integrity service can be invoked by calling either the \fBgss_get_mic()\fR or the \fBgss_wrap()\fR routine. If false, per-message integrity service is unavailable. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_ANON_FLAG\fR\fR +.ad +.RS 25n +.rt +If true, the initiator's identity is not revealed to the acceptor. The \fIsrc_name\fR parameter, if requested, contains an anonymous internal name. If false, the initiator has been authenticated normally. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_PROT_READY_FLAG\fR\fR +.ad +.RS 25n +.rt +If true, the protection services, as specified by the states of the \fBGSS_C_CONF_FLAG\fR and \fBGSS_C_INTEG_FLAG\fR, are available for use. If false, they are available only if the context is fully established, that is, if the \fIopen\fR parameter is non-zero. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_C_TRANS_FLAG\fR\fR +.ad +.RS 25n +.rt +If true, resultant security context can be transferred to other processes through a call to \fBgss_export_sec_context()\fR. If false, the security context is not transferable. +.RE + +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIlocally_initiated\fR\fR +.ad +.RS 21n +.rt +Non-zero if the invoking application is the context initiator. Specify \fBNULL\fR if the parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIopen\fR\fR +.ad +.RS 21n +.rt +Non-zero if the context is fully established; zero if a context-establishment token is expected from the peer application. Specify \fBNULL\fR if the parameter is not required. +.RE + +.SH ERRORS +.sp +.LP +\fBgss_inquire_context()\fR returns one of the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 20n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 20n +.rt +The referenced context could not be accessed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 20n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_accept_sec_context\fR(3GSS), \fBgss_context_time\fR(3GSS), \fBgss_delete_sec_context\fR(3GSS), \fBgss_export_sec_context\fR(3GSS), \fBgss_import_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_process_context_token\fR(3GSS), \fBgss_wrap\fR(3GSS), \fBgss_wrap_size_limit\fR(3GSS), \fBattributes\fR(5) +.sp +.LP +\fI\fR diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_inquire_cred.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_inquire_cred.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,174 @@ +'\" te +.\" Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved. +.TH gss_inquire_cred 3GSS "30 Jan 2004" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_inquire_cred \- obtain information about a credential +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_inquire_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_cred_id_t\fR \fIcred_handle\fR,\fBgss_name_t *\fR\fIname\fR, + \fBOM_uint32 *\fR\fIlifetime\fR, \fBgss_cred_usage_t *\fR\fIcred_usage\fR, + \fBgss_OID_set *\fR\fImechanisms\fR); +.fi + +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_inquire_cred()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +Mechanism specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcred_handle\fR\fR +.ad +.RS 16n +.rt +Handle that refers to the target credential. Specify \fBGSS_C_NO_CREDENTIAL\fR to inquire about the default initiator principal. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIname\fR\fR +.ad +.RS 16n +.rt +Name of the identity asserted by the credential. Any storage associated with this name should be freed by the application after use by a call to \fBgss_release_name\fR(3GSS). +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIlifetime\fR\fR +.ad +.RS 16n +.rt +Number of seconds for which the credential remains valid. If the credential has expired, this parameter will be set to zero. Specify \fBNULL\fR if the parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcred_usage\fR\fR +.ad +.RS 16n +.rt +Flag that indicates how a credential is used. The \fIcred_usage\fR parameter may contain one of the following values: \fBGSS_C_INITIATE\fR, \fBGSS_C_ACCEPT\fR, or \fBGSS_C_BOTH\fR. Specify \fBNULL\fR if this parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImechanisms\fR\fR +.ad +.RS 16n +.rt +Set of mechanisms supported by the credential. Storage for the returned \fBOID\fR-set must be freed by the application after use by a call to \fBgss_release_oid_set\fR(3GSS). Specify \fBNULL\fR if this parameter is not required. +.RE + +.SH DESCRIPTION +.sp +.LP +Use the \fBgss_inquire_cred()\fR function to obtain information about a credential. +.SH RETURN VALUES +.sp +.LP +The \fBgss_inquire_cred()\fR function can return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 30n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CRED\fR\fR +.ad +.RS 30n +.rt +The referenced credentials could not be accessed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DEFECTIVE_CREDENTIAL\fR\fR +.ad +.RS 30n +.rt +The referenced credentials were invalid. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR +.ad +.RS 30n +.rt +The referenced credentials have expired. If the \fIlifetime\fR parameter was not passed as \fBNULL\fR, it will be set to \fB0\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 30n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_release_name\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBlibgss\fR(3LIB), \fBattributes\fR(5) +.sp +.LP +\fI\fR diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_inquire_cred_by_mech.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_inquire_cred_by_mech.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,193 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_inquire_cred_by_mech 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_inquire_cred_by_mech \- obtain per-mechanism information about a credential +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_inquire_cred_by_mech\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_cred_id_t\fR \fIcred_handle\fR,\fBconst gss_OID\fR \fImech_type\fR, + \fBgss_name_t *\fR\fIname\fR, \fBOM_uint32 *\fR\fIinitiator_lifetime\fR, + \fBOM_uint32 *\fR\fIacceptor_lifetime\fR, \fBgss_cred_usage_t *\fR\fIcred_usage\fR); +.fi + +.SH PARAMETERS +.sp +.ne 2 +.mk +.na +\fB\fIacceptor_lifetime\fR\fR +.ad +.RS 22n +.rt +The number of seconds that the credential is capable of accepting security contexts under the specified mechanism. If the credential can no longer be used to accept contexts, or if the credential usage for this mechanism is \fBGSS_C_INITIATE\fR, this parameter will be set to \fB0\fR. Specify \fBNULL\fR if this parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcred_handle\fR\fR +.ad +.RS 22n +.rt +A handle that refers to the target credential. Specify \fBGSS_C_NO_CREDENTIAL\fR to inquire about the default initiator principal. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcred_usage\fR\fR +.ad +.RS 22n +.rt +How the credential may be used with the specified mechanism. The \fIcred_usage\fR parameter may contain one of the following values: \fBGSS_C_INITIATE\fR, \fBGSS_C_ACCEPT\fR, or \fBGSS_C_BOTH\fR. Specify \fBNULL\fR if this parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinitiator_lifetime\fR\fR +.ad +.RS 22n +.rt +The number of seconds that the credential is capable of initiating security contexts under the specified mechanism. If the credential can no longer be used to initiate contexts, or if the credential usage for this mechanism is \fBGSS_C_ACCEPT\fR, this parameter will be set to \fB0\fR. Specify \fBNULL\fR if this parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImech_type\fR\fR +.ad +.RS 22n +.rt +The mechanism for which the information should be returned. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 22n +.rt +A mechanism specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIname\fR\fR +.ad +.RS 22n +.rt +The name whose identity the credential asserts. Any storage associated with this \fIname\fR must be freed by the application after use by a call to \fBgss_release_name\fR(3GSS). +.RE + +.SH DESCRIPTION +.sp +.LP +The \fBgss_inquire_cred_by_mech()\fR function obtains per-mechanism information about a credential. +.SH ERRORS +.sp +.LP +The \fBgss_inquire_cred_by_mech()\fR function can return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 30n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR +.ad +.RS 30n +.rt +The credentials cannot be added because they have expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DEFECTIVE_CREDENTIAL\fR\fR +.ad +.RS 30n +.rt +The referenced credentials are invalid. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 30n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CRED\fR\fR +.ad +.RS 30n +.rt +The referenced credentials cannot be accessed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_UNAVAILABLE\fR\fR +.ad +.RS 30n +.rt +The \fBgss_inquire_cred_by_mech()\fR function is not available for the specified mechanism type. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_release_name\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_inquire_mechs_for_name.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_inquire_mechs_for_name.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,131 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_inquire_mechs_for_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_inquire_mechs_for_name \- list mechanisms that support the specified name-type +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] +#include + +\fBOM_uint32\fR \fBgss_inquire_mechs_for_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_name_t\fR \fIinput_name\fR,\fBgss_OID_set *\fR\fImech_types\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_inquire_mechs_for_name()\fR function returns the set of mechanisms supported by the \fBGSS-API\fR that may be able to process the specified name. Each mechanism returned will recognize at least one element within the internal name. +.sp +.LP +Some implementations of the \fBGSS-API\fR may perform this test by checking nametype information contained within the passed name and registration information provided by individual mechanisms. This means that the \fImech_types\fR set returned by the function may indicate that a particular mechanism will understand the name, when in fact the mechanism would refuse to accept the name as input to \fBgss_canonicalize_name\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_acquire_cred\fR(3GSS), or \fBgss_add_cred\fR(3GSS), due to some property of the name itself rather than the name-type. Therefore, this function should be used only as a pre-filter for a call to a subsequent mechanism-specific function. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_inquire_mechs_for_name()\fR follow in alphabetical order: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +Mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_name\fR\fR +.ad +.RS 16n +.rt +The name to which the inquiry relates. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImech_types\fR\fR +.ad +.RS 16n +.rt +Set of mechanisms that may support the specified name. The returned \fBOID\fR set must be freed by the caller after use with a call to \fBgss_release_oid_set\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_inquire_mechs_for_name()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 22n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAME\fR\fR +.ad +.RS 22n +.rt +The \fIinput_name\fR parameter was ill-formed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_NAMETYPE\fR\fR +.ad +.RS 22n +.rt +The \fIinput_name\fR parameter contained an invalid or unsupported type of name. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 22n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_acquire_cred\fR(3GSS), \fBgss_add_cred\fR(3GSS), \fBgss_canonicalize_name\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_inquire_names_for_mech.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_inquire_names_for_mech.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,106 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_inquire_names_for_mech 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_inquire_names_for_mech \- list the name-types supported by the specified mechanism +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] +#include + +\fBOM_uint32\fR \fBgss_inquire_names_for_mech\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_OID\fR \fImechanism\fR,\fBgss_OID_set *\fR\fIname_types\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_inquire_names_for_mech()\fR function returns the set of name-types supported by the specified mechanism. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_inquire_names_for_mech()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImechanism\fR\fR +.ad +.RS 16n +.rt +The mechanism to be interrogated. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIname_types\fR\fR +.ad +.RS 16n +.rt +Set of name-types supported by the specified mechanism. The returned \fBOID\fR set must be freed by the application after use with a call to \fBgss_release_oid_set\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_inquire_names_for_mech()\fR function may return the following values: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 18n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 18n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_oid_to_str.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_oid_to_str.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,132 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_oid_to_str 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_oid_to_str \- convert an OID to a string +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fB\fR\fBgss_oid_to_str\fR(\fBOM_uint32 *\fR\fIminor_status\fR, \fBconst gss_OID\fR \fIoid\fR, + \fBgss_buffer_t\fR\fIoid_str\fR); +.fi + +.SH PARAMETERS +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +Status code returned by underlying mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoid\fR\fR +.ad +.RS 16n +.rt +\fBGSS-API\fR \fBOID\fR structure to convert. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoid_str\fR\fR +.ad +.RS 16n +.rt +String to receive converted \fBOID\fR. +.RE + +.SH DESCRIPTION +.sp +.LP +The \fBgss_oid_to_str()\fR function converts a \fBGSS-API\fR \fBOID\fR structure to a string. You can use the function to convert the name of a mechanism from an \fBOID\fR to a simple string. This function is a convenience function, as is its complementary function, \fBgss_str_to_oid\fR(3GSS). +.sp +.LP +If an \fBOID\fR must be created, use \fBgss_create_empty_oid_set\fR(3GSS) and \fBgss_add_oid_set_member\fR(3GSS) to create it. \fBOID\fRs created in this way must be released with \fBgss_release_oid_set\fR(3GSS). However, it is strongly suggested that applications use the default \fBGSS-API\fR mechanism instead of creating an \fBOID\fR for a specific mechanism. +.SH ERRORS +.sp +.LP +The \fBgss_oid_to_str()\fR function returns one of the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CALL_INACCESSIBLE_READ\fR\fR +.ad +.sp .6 +.RS 4n +A required input parameter could not be read. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CALL_INACCESSIBLE_WRITE\fR\fR +.ad +.sp .6 +.RS 4n +A required output parameter could not be written. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.sp .6 +.RS 4n +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.sp .6 +.RS 4n +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_add_oid_set_member\fR(3GSS), \fBgss_create_empty_oid_set\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBgss_str_to_oid\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + +.SH WARNINGS +.sp +.LP +This function is included for compatibility only with programs using earlier versions of the \fBGSS-API\fR and should not be used for new programs. Other implementations of the \fBGSS-API\fR might not support this function, so portable programs should not rely on it. Sun might not continue to support this function. diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_process_context_token.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_process_context_token.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,131 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_process_context_token 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_process_context_token \- pass asynchronous token to security service +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_process_context_token\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR,\fBconst gss_buffer_t\fR \fItoken_buffer\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_process_context_token()\fR function provides a way to pass an asynchronous token to the security service. Most context-level tokens are emitted and processed synchronously by \fBgss_init_sec_context()\fR and \fBgss_accept_sec_context()\fR, and the application is informed as to whether further tokens are expected by the \fBGSS_C_CONTINUE_NEEDED\fR major status bit. Occasionally, a mechanism might need to emit a context-level token at a point when the peer entity is not expecting a token. For example, the initiator's final call to \fBgss_init_sec_context()\fR may emit a token and return a status of \fBGSS_S_COMPLETE\fR, but the acceptor's call to \fBgss_accept_sec_context()\fR might fail. The acceptor's mechanism might want to send a token containing an error indication to the initiator, but the initiator is not expecting a token at this point, believing that the context is fully established. \fBgss_process_context_token()\fR provides a way to pass such a token to the mechanism at any time. +.sp +.LP +This function is provided for compatibility with the \fBGSS-API\fR version 1. Because \fBgss_delete_sec_context()\fR no longer returns a valid \fIoutput_token\fR to be sent to \fBgss_process_context_token()\fR, applications using a newer version of the \fBGSS-API\fR do not need to rely on this function. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_process_context_token()\fR are as follows: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 18n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 18n +.rt +Context handle of context on which token is to be processed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fItoken_buffer\fR\fR +.ad +.RS 18n +.rt +Token to process. +.RE + +.SH ERRORS +.sp +.LP +\fBgss_process_context_token()\fR returns one of the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 25n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR +.ad +.RS 25n +.rt +Indicates that consistency checks performed on the token failed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 25n +.rt +The \fIcontext_handle\fR did not refer to a valid context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 25n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_accept_sec_context\fR(3GSS), \fBgss_delete_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBattributes\fR(5) +.sp +.LP +\fI\fR diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_release_buffer.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_release_buffer.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,94 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_release_buffer 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_release_buffer \- free buffer storage allocated by a GSS-API function +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_release_buffer\fR(\fBOM_uint32 *\fR\fIminor_status\fR, \fBgss_buffer_t\fR\fIbuffer\fR); +.fi + +.SH DESCRIPTION +.sp +.LP + The \fBgss_release_buffer()\fR function frees buffer storage allocated by a \fBGSS-API\fR function. The \fBgss_release_buffer()\fR function also zeros the length field in the descriptor to which the buffer parameter refers, while the \fBGSS-API\fR function sets the pointer field in the descriptor to \fBNULL\fR. Any buffer object returned by a \fBGSS-API\fR function may be passed to \fBgss_release_buffer()\fR, even if no storage is associated with the buffer. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_release_buffer()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +Mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIbuffer\fR\fR +.ad +.RS 16n +.rt +The storage associated with the buffer will be deleted. The \fBgss_buffer_desc()\fR object will not be freed; however, its length field will be zeroed. +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_release_buffer()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 18n +.rt +Successful completion +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 18n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_release_cred.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_release_cred.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,106 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_release_cred 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_release_cred \- discard a credential handle +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_release_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBgss_cred_id_t *\fR\fIcred_handle\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_release_cred()\fR function informs the \fBGSS-API\fR that the specified credential handle is no longer required by the application and frees the associated resources. The \fIcred_handle\fR parameter is set to \fBGSS_C_NO_CREDENTIAL\fR when this call completes successfully. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_release_cred()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +A mechanism specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcred_handle\fR\fR +.ad +.RS 16n +.rt +An opaque handle that identifies the credential to be released. If \fBGSS_C_NO_CREDENTIAL\fR is specified, the \fBgss_release_cred()\fR function will complete successfully, but it will do nothing. +.RE + +.SH ERRORS +.sp +.LP +\fBgss_release_cred()\fR may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 18n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CRED\fR\fR +.ad +.RS 18n +.rt +The referenced credentials cannot be accessed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 18n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_release_name.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_release_name.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,105 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_release_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_release_name \- discard an internal-form name +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] +#include + +\fB\fR\fBgss_release_oid\fR(\fBOM_uint32 *\fR\fIminor_status\fR, \fBconst gss_OID *\fR\fIoid\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_release_oid()\fR function deletes an \fBOID\fR. Such an \fBOID\fR might have been created with \fBgss_str_to_oid()\fR. +.sp +.LP +Since creating and deleting individual \fBOID\fRs is discouraged, it is preferable to use \fBgss_release_oid_set()\fR if it is necessary to deallocate a set of \fBOID\fRs. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_release_oid()\fR are as follows: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoid\fR\fR +.ad +.RS 16n +.rt +The object identifier of the mechanism to be deleted. +.RE + +.SH ERRORS +.sp +.LP +\fBgss_release_oid()\fR returns one of the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 18n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 18n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_release_oid_set\fR(3GSS), \fBgss_str_to_oid\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + +.SH WARNINGS +.sp +.LP +This function is included for compatibility only with programs using earlier versions of the \fBGSS-API\fR and should not be used for new programs. Other implementations of the \fBGSS-API\fR might not support this function, so portable programs should not rely on it. Sun might not continue to support this function. diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_release_oid_set.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_release_oid_set.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,97 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_release_oid_set 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_release_oid_set \- free storage associated with a GSS-API-generated gss_OID_set object +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_release_oid_set\fR(\fBOM_uint32 *\fR\fIminor_status\fR, \fBgss_OID_set *\fR\fIset\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_release_oid_set()\fR function frees storage associated with a \fBGSS-API\fR-generated \fBgss_OID_set\fR object. The \fIset\fR parameter must refer to an \fBOID\fR-set that was returned from a \fBGSS-API\fR function. The \fBgss_release_oid_set()\fR function will free the storage associated with each individual member \fBOID\fR, the \fBOID\fR \fIset\fR's elements array, and \fBgss_OID_set_desc\fR. +.sp +.LP +\fBgss_OID_set\fR is set to \fBGSS_C_NO_OID_SET\fR on successful completion of this function. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_release_oid_set()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +A mechanism-specific status code +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIset\fR\fR +.ad +.RS 16n +.rt +Storage associated with the \fBgss_OID_set\fR will be deleted +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_release_oid_set()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 18n +.rt +Successful completion +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 18n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_store_cred.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_store_cred.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,224 @@ +'\" te +.\" Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. +.TH gss_store_cred 3GSS "30 Jun 2005" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_store_cred \- store a credential in the current credential store +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_store_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_cred_id_t\fR \fIinput_cred\fR, \fBconst gss_cred_usage_t\fR \fIcred_usage\fR, + \fBconst gss_OID\fR \fIdesired_mech\fR, \fBOM_uint32\fR \fIoverwrite_cred\fR, + \fBOM_uint32\fR \fIdefault_cred\fR, \fBgss_OID_set *\fR\fIelements_stored\fR, + \fBgss_cred_usage_t *\fR\fIcred_usage_stored\fR); +.fi + +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_store_cred()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIinput_cred\fR\fR +.ad +.RS 21n +.rt +The credential to be stored. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcred_usage\fR\fR +.ad +.RS 21n +.rt +This parameter specifies whether to store an initiator, an acceptor, or both usage components of a credential. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIdesired_mech\fR\fR +.ad +.RS 21n +.rt +The mechanism-specific component of a credential to be stored. If \fBGSS_C_NULL_OID\fR is specified, the \fBgss_store_cred()\fR function attempts to store all the elements of the given \fIinput_cred_handle\fR. +.sp +The \fBgss_store_cred()\fR function is not atomic when storing multiple elements of a credential. All delegated credentials, however, contain a single element. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoverwrite_cred\fR\fR +.ad +.RS 21n +.rt +A boolean that indicates whether to overwrite existing credentials in the current store for the same principal as that of the \fIinput_cred_handle\fR. A non-zero value indicates that credentials are overwritten. A zero value indicates that credentials are not overwritten. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIdefault_cred\fR\fR +.ad +.RS 21n +.rt +A boolean that indicates whether to set the principal name of the \fIinput_cred_handle\fR parameter as the default of the current credential store. A non-zero value indicates that the principal name is set as the default. A zero value indicates that the principal name is not set as the default. The default principal of a credential store matches \fBGSS_C_NO_NAME\fR as the \fIdesired_name\fR input parameter for \fBgss_store_cred\fR(3GSS). +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIelements_stored\fR\fR +.ad +.RS 21n +.rt +The set of mechanism \fBOID\fRs for which \fIinput_cred_handle\fR elements have been stored. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcred_usage_stored\fR\fR +.ad +.RS 21n +.rt +The stored \fIinput_cred_handle\fR usage elements: initiator, acceptor, or both. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 21n +.rt +Minor status code that is specific to one of the following: the mechanism identified by the \fIdesired_mech_element\fR parameter, or the element of a single mechanism in the \fIinput_cred_handle\fR. In all other cases, \fIminor_status\fR has an undefined value on return. +.RE + +.SH DESCRIPTION +.sp +.LP +The \fBgss_store_cred()\fR function stores a credential in the the current GSS-API credential store for the calling process. Input credentials can be re-acquired through \fBgss_add_cred\fR(3GSS) and \fBgss_acquire_cred\fR(3GSS). +.sp +.LP +The \fBgss_store_cred()\fR function is specifically intended to make delegated credentials available to a user's login session. +.sp +.LP +The \fBgss_accept_sec_context()\fR function can return a delegated GSS-API credential to its caller. The function does not store delegated credentials to be acquired through \fBgss_add_cred\fR(3GSS). Delegated credentials can be used only by a receiving process unless they are made available for acquisition by calling the \fBgss_store_cred()\fR function. +.sp +.LP +The Solaris Operating System supports a single GSS-API credential store per user. The current GSS-API credential store of a process is determined by its effective UID. +.sp +.LP +In general, acceptor applications should switch the current credential store by changing the effective UID before storing a delegated credential. +.SH RETURN VALUES +.sp +.LP +The \fBgss_store_cred()\fR can return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.sp .6 +.RS 4n +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR +.ad +.sp .6 +.RS 4n +The credentials could not be stored because they have expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CALL_INACCESSIBLE_READ\fR\fR +.ad +.sp .6 +.RS 4n +No input credentials were given. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_UNAVAILABLE\fR\fR +.ad +.sp .6 +.RS 4n +The credential store is unavailable. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DUPLICATE_ELEMENT\fR\fR +.ad +.sp .6 +.RS 4n +The credentials could not be stored because the \fIoverwrite_cred\fR input parameter was set to false (\fB0\fR) and the \fIinput_cred\fR parameter conflicts with a credential in the current credential store. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.sp .6 +.RS 4n +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +Interface StabilityUncommitted +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_accept_sec_context\fR(3GSS), \fBgss_acquire_cred\fR(3GSS), \fBgss_add_cred\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_inquire_cred\fR(3GSS), \fBgss_release_cred\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_str_to_oid.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_str_to_oid.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,135 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_str_to_oid 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_str_to_oid \- convert a string to an OID +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_str_to_oid\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_buffer_t\fR \fIoid_str\fR,\fBgss_OID *\fR\fIoid\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_str_to_oid()\fR function converts a string to a \fBGSS-API\fR \fBOID\fR structure. You can use the function to convert a simple string to an \fBOID\fR to . This function is a convenience function, as is its complementary function, \fBgss_oid_to_str\fR(3GSS). +.sp +.LP +\fBOID\fRs created with \fBgss_str_to_oid()\fR must be deallocated through \fBgss_release_oid\fR(3GSS), if available. If an \fBOID\fR must be created, use \fBgss_create_empty_oid_set\fR(3GSS) and \fBgss_add_oid_set_member\fR(3GSS) to create it. \fBOID\fRs created in this way must be released with \fBgss_release_oid_set\fR(3GSS). However, it is strongly suggested that applications use the default \fBGSS-API\fR mechanism instead of creating an \fBOID\fR for a specific mechanism. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_str_to_oid()\fR are as follows: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +Status code returned by underlying mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoid\fR\fR +.ad +.RS 16n +.rt +\fBGSS-API\fR \fBOID\fR structure to receive converted string. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoid_str\fR\fR +.ad +.RS 16n +.rt +String to convert. +.RE + +.SH ERRORS +.sp +.LP +\fBgss_str_to_oid()\fR returns one of the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CALL_INACCESSIBLE_READ\fR\fR +.ad +.sp .6 +.RS 4n +A required input parameter could not be read. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CALL_INACCESSIBLE_WRITE\fR\fR +.ad +.sp .6 +.RS 4n +A required output parameter could not be written. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.sp .6 +.RS 4n +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.sp .6 +.RS 4n +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_add_oid_set_member\fR(3GSS), \fBgss_create_empty_oid_set\fR(3GSS), \fBgss_oid_to_str\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + +.SH WARNINGS +.sp +.LP +This function is included for compatibility only with programs using earlier versions of the \fBGSS-API\fR and should not be used for new programs. Other implementations of the \fBGSS-API\fR might not support this function, so portable programs should not rely on it. Sun might not continue to support this function. diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_test_oid_set_member.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_test_oid_set_member.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,118 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_test_oid_set_member 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_test_oid_set_member \- interrogate an object identifier set +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_test_oid_set_member\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_OID\fR \fImember\fR,\fBconst gss_OID_set\fR \fIset\fR, + \fBint *\fR\fIpresent\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_test_oid_set_member()\fR function interrogates an object identifier set to determine if a specified object identifier is a member. This function should be used with \fBOID\fR sets returned by \fBgss_indicate_mechs\fR(3GSS), \fBgss_acquire_cred\fR(3GSS), and \fBgss_inquire_cred\fR(3GSS), but it will also work with user-generated sets. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_test_oid_set_member()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 16n +.rt +A mechanism-specific status code +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImember\fR\fR +.ad +.RS 16n +.rt +An object identifier whose presence is to be tested +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIset\fR\fR +.ad +.RS 16n +.rt +An object identifier set. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIpresent\fR\fR +.ad +.RS 16n +.rt +The value of \fIpresent\fR is non-zero if the specified \fBOID\fR is a member of the set; if not, the value of \fIpresent\fR is zero. +.RE + +.SH ERRORS +.sp +.LP +The \fBgss_test_oid_set_member()\fR function may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 18n +.rt +Successful completion +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 18n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_acquire_cred\fR(3GSS), \fBgss_indicate_mechs\fR(3GSS), \fBgss_inquire_cred\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_unwrap.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_unwrap.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,233 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_unwrap 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_unwrap \- verify a message with attached cryptographic message +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_unwrap\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR, + \fBconst gss_buffer_t\fR \fIinput_message_buffer\fR, + \fBgss_buffer_t\fR \fIoutput_message_buffer\fR, \fBint *\fR\fIconf_state\fR, + \fBgss_qop_t *\fR\fIqop_state\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_unwrap()\fR function converts a message previously protected by \fBgss_wrap\fR(3GSS) back to a usable form, verifying the embedded \fBMIC\fR. The \fIconf_state\fR parameter indicates whether the message was encrypted; the \fIqop_state\fR parameter indicates the strength of protection that was used to provide the confidentiality and integrity services. +.sp +.LP +Since some application-level protocols may wish to use tokens emitted by \fBgss_wrap\fR(3GSS) to provide secure framing, the \fBGSS-API\fR supports the wrapping and unwrapping of zero-length messages. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_unwrap()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 25n +.rt +The status code returned by the underlying mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 25n +.rt +Identifies the context on which the message arrived. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_message_buffer\fR\fR +.ad +.RS 25n +.rt +The message to be protected. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_message_buffer\fR\fR +.ad +.RS 25n +.rt +The buffer to receive the unwrapped message. Storage associated with this buffer must be freed by the application after use with a call to \fBgss_release_buffer\fR(3GSS). +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIconf_state\fR\fR +.ad +.RS 25n +.rt +If the value of \fIconf_state\fR is non-zero, then confidentiality and integrity protection were used. If the value is zero, only integrity service was used. Specify \fBNULL\fR if this parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIqop_state\fR\fR +.ad +.RS 25n +.rt +Specifies the quality of protection provided. Specify \fBNULL\fR if this parameter is not required. +.RE + +.SH ERRORS +.sp +.LP +\fBgss_unwrap()\fR may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 25n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token failed consistency checks. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_SIG\fR\fR +.ad +.RS 25n +.rt +The \fBMIC\fR was incorrect. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DUPLICATE_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token was valid, and contained a correct \fBMIC\fR for the message, but it had already been processed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_OLD_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token was valid, and contained a correct \fBMIC\fR for the message, but it is too old to check for duplication. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_UNSEQ_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token was valid, and contained a correct \fBMIC\fR for the message, but has been verified out of sequence; a later token has already been received. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_GAP_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token was valid, and contained a correct \fBMIC\fR for the message, but has been verified out of sequence; an earlier expected token has not yet been received. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR +.ad +.RS 25n +.rt +The context has already expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 25n +.rt +The \fIcontext_handle\fR parameter did not identify a valid context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 25n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_release_buffer\fR(3GSS), \fBgss_wrap\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_verify_mic.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_verify_mic.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,220 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_verify_mic 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_verify_mic \- verify integrity of a received message +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_verify_mic\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR, \fBconst gss_buffer_t\fR \fImessage_buffer\fR, + \fBconst gss_buffer_t\fR \fItoken_buffer\fR, \fBgss_qop_t *\fR\fIqop_state\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_verify_mic()\fR function verifies that a cryptographic \fBMIC\fR, contained in the token parameter, fits the supplied message. The \fIqop_state\fR parameter allows a message recipient to determine the strength of protection that was applied to the message. +.sp +.LP +Since some application-level protocols may wish to use tokens emitted by \fBgss_wrap\fR(3GSS) to provide secure framing, the \fBGSS-API\fR supports the calculation and verification of \fBMIC\fRs over zero-length messages. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_verify_mic()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 18n +.rt +The status code returned by the underlying mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 18n +.rt +Identifies the context on which the message arrived. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImessage_buffer\fR\fR +.ad +.RS 18n +.rt +The message to be verified. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fItoken_buffer\fR\fR +.ad +.RS 18n +.rt +The token associated with the message. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIqop_state\fR\fR +.ad +.RS 18n +.rt +Specifies the quality of protection gained from the \fBMIC\fR. Specify \fBNULL\fR if this parameter is not required. +.RE + +.SH ERRORS +.sp +.LP +\fBgss_verify_mic()\fR may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 25n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token failed consistency checks. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_SIG\fR\fR +.ad +.RS 25n +.rt +The \fBMIC\fR was incorrect. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_DUPLICATE_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token was valid and contained a correct \fBMIC\fR for the message, but it had already been processed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_OLD_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token was valid and contained a correct \fBMIC\fR for the message, but it is too old to check for duplication. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_UNSEQ_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token was valid and contained a correct \fBMIC\fR for the message, but it has been verified out of sequence; a later token has already been received. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_GAP_TOKEN\fR\fR +.ad +.RS 25n +.rt +The token was valid and contained a correct \fBMIC\fR for the message, but it has been verified out of sequence; an earlier expected token has not yet been received. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR +.ad +.RS 25n +.rt +The context has already expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 25n +.rt +The \fIcontext_handle\fR parameter did not identify a valid context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 25n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_wrap\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_wrap.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_wrap.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,188 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_wrap 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_wrap \- attach a cryptographic message +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_wrap\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR, \fBint\fR \fIconf_req_flag\fR, + \fBgss_qop_t\fR \fIqop_req\fR, \fBconst gss_buffer_t\fR \fIinput_message_buffer\fR, + \fBint *\fR\fIconf_state\fR, \fBgss_buffer_t\fR \fIoutput_message_buffer\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_wrap()\fR function attaches a cryptographic \fBMIC\fR and optionally encrypts the specified \fIinput_message\fR. The \fIoutput_message\fR contains both the \fBMIC\fR and the message. The \fIqop_req\fR parameter allows a choice between several cryptographic algorithms, if supported by the chosen mechanism. +.sp +.LP +Since some application-level protocols may wish to use tokens emitted by \fBgss_wrap()\fR to provide secure framing, the \fBGSS-API\fR supports the wrapping of zero-length messages. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_wrap()\fR follow: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 25n +.rt +The status code returned by the underlying mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 25n +.rt +Identifies the context on which the message will be sent. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIconf_req_flag\fR\fR +.ad +.RS 25n +.rt +If the value of \fIconf_req_flag\fR is non-zero, both confidentiality and integrity services are requested. If the value is zero, then only integrity service is requested. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIqop_req\fR\fR +.ad +.RS 25n +.rt +Specifies the required quality of protection. A mechanism-specific default may be requested by setting \fIqop_req\fR to \fBGSS_C_QOP_DEFAULT\fR. If an unsupported protection strength is requested, \fBgss_wrap()\fR will return a \fImajor_status\fR of \fBGSS_S_BAD_QOP\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIinput_message_buffer\fR\fR +.ad +.RS 25n +.rt +The message to be protected. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIconf_state\fR\fR +.ad +.RS 25n +.rt +If the value of \fIconf_state\fR is non-zero, confidentiality, data origin authentication, and integrity services have been applied. If the value is zero, then integrity services have been applied. Specify \fBNULL\fR if this parameter is not required. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIoutput_message_buffer\fR\fR +.ad +.RS 25n +.rt +The buffer to receive the protected message. Storage associated with this message must be freed by the application after use with a call to \fBgss_release_buffer\fR(3GSS). +.RE + +.SH ERRORS +.sp +.LP +\fBgss_wrap()\fR may return the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 25n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR +.ad +.RS 25n +.rt +The context has already expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 25n +.rt +The \fIcontext_handle\fR parameter did not identify a valid context. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_QOP\fR\fR +.ad +.RS 25n +.rt +The specified \fBQOP\fR is not supported by the mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 25n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_release_buffer\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/gss_wrap_size_limit.3gss --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/gss_wrap_size_limit.3gss Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,177 @@ +'\" te +.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. +.TH gss_wrap_size_limit 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions" +.SH NAME +gss_wrap_size_limit \- allow application to determine maximum message size with resulting output token of a specified maximum size +.SH SYNOPSIS +.LP +.nf +\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include + +\fBOM_uint32\fR \fBgss_process_context_token\fR(\fBOM_uint32 *\fR\fIminor_status\fR, + \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR, \fBint\fR \fIconf_req_flag\fR, + \fBgss_qop_t\fR \fIqop_req\fR, \fBOM_uint32\fR \fIreq_output_size\fR, + \fBOM_uint32 *\fR\fImax_input_size\fR); +.fi + +.SH DESCRIPTION +.sp +.LP +The \fBgss_wrap_size_limit()\fR function allows an application to determine the maximum message size that, if presented to \fBgss_wrap()\fR with the same \fIconf_req_flag\fR and \fIqop_req\fR parameters, results in an output token containing no more than \fIreq_output_size\fR bytes. This call is intended for use by applications that communicate over protocols that impose a maximum message size. It enables the application to fragment messages prior to applying protection. The \fBGSS-API\fR detects invalid \fBQOP\fR values when \fBgss_wrap_size_limit()\fR is called. This routine guarantees only a maximum message size, not the availability of specific \fBQOP\fR values for message protection. +.sp +.LP +Successful completion of \fBgss_wrap_size_limit()\fR does not guarantee that \fBgss_wrap()\fR will be able to protect a message of length \fImax_input_size\fR bytes, since this ability might depend on the availability of system resources at the time that \fBgss_wrap()\fR is called. +.SH PARAMETERS +.sp +.LP +The parameter descriptions for \fBgss_wrap_size_limit()\fR are as follows: +.sp +.ne 2 +.mk +.na +\fB\fIminor_status\fR\fR +.ad +.RS 19n +.rt +A mechanism-specific status code. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIcontext_handle\fR\fR +.ad +.RS 19n +.rt +A handle that refers to the security over which the messages will be sent. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIconf_req_flag\fR\fR +.ad +.RS 19n +.rt +Indicates whether \fBgss_wrap()\fR will be asked to apply confidential protection in addition to integrity protection. See \fBgss_wrap\fR(3GSS) for more details. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIqop_req\fR\fR +.ad +.RS 19n +.rt +Indicates the level of protection that \fBgss_wrap()\fR will be asked to provide. See \fBgss_wrap\fR(3GSS) for more details. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fIreq_output_size\fR\fR +.ad +.RS 19n +.rt +The desired maximum size for tokens emitted by \fBgss_wrap()\fR. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fImax_input_size\fR\fR +.ad +.RS 19n +.rt +The maximum input message size that can be presented to \fBgss_wrap()\fR to guarantee that the emitted token will be no larger than \fIreq_output_size\fR bytes. +.RE + +.SH ERRORS +.sp +.LP +\fBgss_wrap_size_limit()\fR returns one of the following status codes: +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_COMPLETE\fR\fR +.ad +.RS 25n +.rt +Successful completion. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_NO_CONTEXT\fR\fR +.ad +.RS 25n +.rt +The referenced context could not be accessed. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR +.ad +.RS 25n +.rt +The context has expired. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_BAD_QOP\fR\fR +.ad +.RS 25n +.rt +The specified \fBQOP\fR is not supported by the mechanism. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBGSS_S_FAILURE\fR\fR +.ad +.RS 25n +.rt +The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition. +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +MT LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBgss_wrap\fR(3GSS), \fBattributes\fR(5) +.sp +.LP + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/ja_JP.UTF-8/kerberos.5 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/ja_JP.UTF-8/kerberos.5 Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,117 @@ +'\" te +.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved +.TH kerberos 5 "2008 年 10 月 1 日" "SunOS 5.12" "標準、環境、マクロ" +.SH 名前 +kerberos \- Solaris Kerberos 実装の概要 +.SH 機能説明 +.sp +.LP +Solaris Kerberos の実装 (以降、「Kerberos」と短縮する場合もあり) によって、ネットワーク環境内のクライアントが認証されるため、セキュアなトランザクションが可能になります。(クライアントはユーザーまたはネットワークサービスです。)Kerberos では、クライアントの同一性および転送されたデータの信頼性が検証されます。Kerberos は「\fIシングルサインオン\fR」システムです。つまり、ユーザーはセッションの開始時にのみ、パスワードを入力する必要があります。Solaris Kerberos は、\fBMIT\fR で開発された Kerberos(TM) システムに基づいて実装され、異機種混在ネットワーク上で Kerberos V5 システムとの互換性があります。 +.sp +.LP +Kerberos は、クライアントを一意に識別し、有効期間に限りがある\fIチケット\fRをクライアントに付与することによって動作します。チケットを所有するクライアントは、権限が付与されているネットワークサービスについて自動的に検証されます。たとえば、有効な Kerberos チケットを持つユーザーは、自分自身の身元を証明しなくても、Kerberos が動作している別のマシンに rlogin できます。各クライアントは一意のチケットを持っているため、身元が保証されます。 +.sp +.LP +チケットを入手するには、まずクライアントは \fBkinit\fR(1) コマンドまたは \fBPAM\fR モジュールを使用して、Kerberos セッションを初期化する必要があります。(\fBpam_krb5\fR(5) を参照)。\fBkinit\fR によってパスワードを求めるプロンプトが表示され、\fIKey Distribution Center\fR (\fBKDC\fR) との通信が行なわれます。\fBKDC\fR によって、\fIチケット認可チケット\fR (\fBTGT\fR) が返され、パスワードの確認を求めるプロンプトが表示されます。クライアントがパスワードを確認すると、チケット認可チケットを使用して、特定のネットワークサービスのチケットを取得できます。チケットは透過的に付与されるため、ユーザーが管理について心配する必要はありません。\fBklist\fR(1) コマンドを使用すると、現在のチケットを表示できます。 +.sp +.LP +チケットは、インストール時に設定されたシステム\fIポリシー\fRに従って有効になります。たとえば、チケットには有効なデフォルトの有効期間があります。root に属するチケットなどの特権チケットの有効期間が非常に短くなるように、ポリシーに追加指示することもできます。ポリシーでは、いくつかのデフォルトルールを上書きできます。たとえば、クライアントは、デフォルトよりも有効期間が長いまたは短いチケットをリクエストできます。 +.sp +.LP +\fBkinit\fR を使用すると、チケットを更新できます。チケットは\fI転送可能\fRでもあるため、あるマシン上で付与されたチケットを別のホスト上で使用できます。\fBkdestroy\fR(1) を使用すると、チケットを破棄できます。\fB\&.logout\fR ファイルに \fBkdestroy\fR への呼び出しを含めることをお勧めします。 +.sp +.LP +Kerberos では、クライアントは\fI主体\fRと呼ばれます。主体の形式は次のとおりです: +.sp +.in +2 +.nf +primary/instance@REALM +.fi +.in -2 +.sp + +.sp +.ne 2 +.mk +.na +\fBプライマリノード\fR +.ad +.RS 28n +.rt +ユーザー、ホスト、またはサービス。 +.RE + +.sp +.ne 2 +.mk +.na +\fBインスタンス\fR +.ad +.RS 28n +.rt +プライマリの資格です。プライマリがキーワード \fBhost\fR で指定されたホストの場合、インスタンスはそのホストの完全指定ドメイン名です。プライマリがユーザーまたはサービスの場合、インスタンスはオプションです。\fBadmin\fR や \fBroot\fR などの一部のインスタンスは特権です。 +.RE + +.sp +.ne 2 +.mk +.na +\fBレルム\fR +.ad +.RS 28n +.rt +Kerberos で、ドメインに相当するものです。実際に、ほとんどの場合でレルムは \fBDNS\fR ドメイン名に直接マップされています。Kerberos レルムでは大文字のみが使用されます。主体名の例については、「使用例」を参照してください。 +.RE + +.sp +.LP +Kerberos では、ユーザー認証以外にも、General Security Services \fBAPI\fR (\fBGSS-API\fR) を利用した 2 種類のセキュリティーサービスが提供されます: 転送されたデータの有効性を認証する \fIintegrity\fR と、転送されたデータを暗号化する \fIprivacy\fR。開発者は RPCSEC_GSS \fBAPI\fR インタフェースを使用することによって、\fBGSS-API\fR を利用できます (\fBrpcsec_gss\fR(3NSL) を参照)。 +.SH 使用例 +.LP +\fB例 1 \fR有効な主体名の例 +.sp +.LP +次に、有効な主体名の例を示します: + +.sp +.in +2 +.nf + joe + joe/admin + joe@ENG.ACME.COM + joe/admin@ENG.ACME.COM + rlogin/bigmachine.eng.acme.com@ENG.ACME.COM + host/bigmachine.eng.acme.com@ENG.ACME.COM +.fi +.in -2 +.sp + +.sp +.LP +最初の 4 つのケースは\fIユーザー主体\fRです。最初の 2 つのケースでは、ユーザー \fBjoe\fR がクライアントと同じレルム内にあるため、レルムが指定されていないことが想定されます。\fBjoe\fR と \fBjoe/admin\fR は、同じユーザーに使用されている場合でも、別々の主体であることに注意してください。\fBjoe/admin\fR は、\fBjoe\fR とは別の特権を持っています。5 番目のケースは \fIサービス主体\fR、最後のケースは\fIホスト主体\fRです。ホスト主体には、\fBhost\fR という語が必要です。ホスト主体では、インスタンスは完全指定ホスト名です。\fBadmin\fR および \fBhost\fR という語は予約済みのキーワードであることに注意してください。 + +.SH 関連項目 +.sp +.LP +\fBkdestroy\fR(1)、\fBkinit\fR(1)、\fBklist\fR(1)、\fBkpasswd\fR(1)、\fBkrb5.conf\fR(4)、\fBkrb5envvar\fR(5) +.sp +.LP +\fI『System Administration Guide: Security Services 』\fR +.SH 注意事項 +.sp +.LP +以前のリリースの Solaris オペレーティングシステムでは、Solaris Kerberos の実装は「SEAM (Sun Enterprise Authentication Mechanism)」と呼ばれていました。 +.sp +.LP +ユーザー名を入力し、\fBkinit\fR が次のメッセージを返した場合: +.sp +.in +2 +.nf +Principal unknown (kerberos) +.fi +.in -2 +.sp + +.sp +.LP +Kerberos ユーザーとして登録されていません。システム管理者に問い合わせるか、\fI『System Administration Guide: Security Services』\fRを参照してください。 diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/ja_JP.UTF-8/krb5envvar.5 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/ja_JP.UTF-8/krb5envvar.5 Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,178 @@ +'\" te +.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved +.TH krb5envvar 5 "2008 年 2 月 13 日" "SunOS 5.12" "標準、環境、マクロ" +.SH 名前 +krb5envvar \- Kerberos 環境変数 +.SH 機能説明 +.sp +.LP +Kerberos メカニズムには、アプリケーションのニーズを満たすために、さまざまな動作を構成する多数の環境変数が用意されています。Kerberos 機構では、次の環境変数が使用されます: +.sp +.ne 2 +.mk +.na +\fB\fBKRB5_KTNAME\fR\fR +.ad +.sp .6 +.RS 4n +鍵テーブルファイルの場所を指定するためのメカニズムで使用されます。この変数には、次の値を設定できます: +.sp +.in +2 +.nf +[[\fI\fR:]\fI\fR] +.fi +.in -2 + +ここで、\fI\fR には \fBFILE\fR または \fBWRFILE\fR を指定できます。\fBFILE\fR は読み取り操作用、\fBWRFILE\fR は書き込み操作用です。\fI\fR は、\fBkeytab\fR ファイルの場所です。 +.sp +r +.sp +\fBKRB5_KTNAME\fR が定義されない場合のデフォルト値は次のとおりです: +.sp +.in +2 +.nf +FILE:/etc/krb5/krb5.keytab +.fi +.in -2 + +\fBkeytab\fR ファイルは、永続的に資格を格納するために使用され、一般にサービスデーモンで使用されます。 +.sp +\fBFILE\fR タイプを指定することは、関連するファイル上の後続操作が呼び出しプロセスで読み取り可能であることが前提となっています。暗号化されていない鍵を取得する必要のある主体のセットでのみファイルが読み取り可能になるように注意してください。 +.sp +\fBWRFILE\fR タイプは、\fBkadmin\fR(1M) コマンドで使用されます。このタイプを指定すると、管理者は追加のコマンド行引数を使用してファイルの場所を指定しなくても、書き込む代替の \fBkeytab\fR ファイルを指定できます。 +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBKRB5CCNAME\fR\fR +.ad +.sp .6 +.RS 4n +資格キャッシュの場所を指定するためのメカニズムで使用されます。この変数には、次の値を設定できます: +.sp +.in +2 +.nf +[[\fI\fR:]\fI\fR] +.fi +.in -2 + +ここで、\fI\fR には \fBFILE\fR または \fBMEMORY\fR を指定できます。\fI\fR は主体の資格キャッシュの場所です。 +.sp +\fBKRB5CCNAME\fR が定義されない場合のデフォルト値は次のとおりです: +.sp +.in +2 +.nf +FILE:/tmp/krb5cc_\fI\fR +.fi +.in -2 + +ここで、\fI\fR はキャッシュファイルを作成したプロセスのユーザー ID です。 +.sp +資格キャッシュファイルは、主体に付与されているチケットを格納するために使用されます。 +.sp +\fBFILE\fR タイプを指定することは、関連するファイル上の後続操作が呼び出しプロセスで読み書き可能であることが前提となっています。資格にアクセスする必要のある主体のセットのみがファイルにアクセス可能になるように注意してください。ほかのユーザーが書き込みアクセス権を持っているディレクトリ内に資格ファイルがある場合、そのディレクトリのスティッキービットを設定する必要があります (\fBchmod\fR(1) を参照)。 +.sp +\fBMEMORY\fR タイプの資格キャッシュは、呼び出しプロセスの存続期間中に一時キャッシュを作成する場合などの特殊なケースでしか使用されません。 +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBKRB5RCNAME\fR\fR +.ad +.sp .6 +.RS 4n +リプレイキャッシュのタイプと場所を指定するためのメカニズムで使用されます。この変数には、次の値を設定できます: +.sp +.in +2 +.nf +[[\fI\fR:]\fI\fR] +.fi +.in -2 + +ここで、\fI\fR には \fBFILE\fR、\fBMEMORY\fR、または \fBNONE\fR を指定できます。\fI\fR が関連するのは、リプレイキャッシュファイルタイプを指定する場合のみです。 +.sp +定義されない場合のデフォルト値は次のとおりです: +.sp +.in +2 +.nf +FILE:/var/krb5/rcache/root/rc_\fI\fR +.fi +.in -2 + +root がプロセスを所有している場合、または: +.sp +.in +2 +.nf +FILE:/var/krb5/rcache/rc_\fI\fR +.fi +.in -2 + +root 以外のユーザーがプロセスを所有している場合。\fI\fR は、リプレイキャッシュファイルに関連付けられたサービスプロセス名です。 +.sp +リプレイキャッシュは、Kerberos で認証データのリプレイを検出する際に使用されます。これにより、ネットワーク上の認証メッセージを取得するユーザーは、これらのメッセージを再送信しても、サーバーに対する認証を行なうことができません。 +.sp +\fBFILE\fR タイプのリプレイキャッシュを指定する場合は、別のユーザーがリプレイキャッシュファイルを削除できないように注意してください。リプレイキャッシュの所有者のみがリプレイキャッシュパスのすべてのディレクトリに書き込み可能であるか、またはその他のユーザーが書き込み権を持っているリプレイキャッシュパスのすべてのディレクトリにスティッキービット ("\fB t\fR") が設定されていることを確認します。 +.sp +\fBMEMORY\fR タイプのリプレイキャッシュを指定する場合は、非永続性キャッシュを使用することで発生するわずかなセキュリティーリスクに対するパフォーマンスのトレードオフを比較検討する必要があります。次の状況になると、システムのリブート中にリスクが発生します: +.RS +4 +.TP +.ie t \(bu +.el o +リブート前に最後にリプレイキャッシュに書き込んでから、Kerberos 化されたサーバーアプリケーションが実行されている時点までの期間は、Kerberos クロックスキューよりも短くなります (\fBkrb5.conf\fR(4) を参照)。 +.RE +\fBNONE\fR リプレイキャッシュ時間を指定する場合は、これによりリプレイキャッシュが無効になることと、発生するすべてのセキュリティーリスクについて理解する必要があります。これには、マニュアルページの該当セクションで説明されたすべてのリスクが含まれます。 +.sp +このような状況では、サーバーアプリケーションは、Kerberos 認証データのリプレイを (最後の書き込み時間とクロックスキューとの差異まで) 許容できます。一般に、これは短い猶予時間です。接続の受け入れを開始するまでの時間がクロックスキューよりもサーバーアプリケーションの方が長い場合は、リプレイのリスクはありません。 +.sp +前述のリスクは、\fB/var/run\fR や \fB/tmp\fR などのスワップファイルシステム上にリプレイキャッシュが存在するときに、\fBFILE\fR タイプのリプレイキャッシュを使用する場合と同じです。 +.sp +\fBMEMORY\fR タイプのリプレイキャッシュでは、ディスク I/O が存在しないことによって、\fBFILE\fR タイプよりもパフォーマンスが改善されています。このことは、\fBFILE\fR リプレイキャッシュがスワップ (\fB/tmp\fR や \fB/var/run\fR など) のメモリーに基づくファイルシステムに存在する場合でも該当します。 +.sp +\fBMEMORY\fR タイプのキャッシュはプロセスごとのキャッシュであるため、これらのタイプのキャッシュを使用する際には十分に考慮する必要があります。\fBMEMORY\fR タイプのキャッシュで問題が発生する可能性がある一例として、セキュリティーコンテキストを確立するために複数のプロセスがアプリケーションで使用されている場合があります。このような場合、リプレイキャッシュメモリーはプロセス間で共有されないため、リプレイ攻撃の可能性があります。 +.RE + +.sp +.ne 2 +.mk +.na +\fBKRB5_CONFIG\fR +.ad +.sp .6 +.RS 4n +KRB5_CONFIG で指定された別のファイルから構成パラメータを Kerberos ライブラリコードで読み取ることができるように、\fB/etc/krb5/krb5.conf\fR ファイルのデフォルトの場所を変更できます。\fBksh\fR(1) から kinit を使用する例: +.sp +.in +2 +.nf + KRB5_CONFIG=/var/tmp/krb5.conf kinit +.fi +.in -2 + +.RE + +.SH 属性 +.sp +.LP +属性についての詳細は、\fBattributes\fR(5) を参照してください。 +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +\fB属性タイプ\fR\fB属性値\fR +_ +使用条件system/security/kerberos-5 +_ +インタフェースの安定性不確実 +.TE + +.SH 関連項目 +.sp +.LP +\fBchmod\fR(1)、\fBkinit\fR(1)、\fBklist\fR(1)、\fBksh\fR(1)、\fBkadmin\fR(1M)、\fBkadmind\fR(1M)、\fBkrb5.conf\fR(4)、\fBattributes\fR(5)、\fBkerberos\fR(5) diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/kerberos.5 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/kerberos.5 Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,111 @@ +'\" te +.\" Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved. +.TH kerberos 5 "1 Oct 2008" "SunOS 5.12" "Standards, Environments, and Macros" +.SH NAME +kerberos \- overview of Solaris Kerberos implementation +.SH DESCRIPTION +.sp +.LP +The Solaris Kerberos implementation, hereafter sometimes shortened to "Kerberos," authenticates clients in a network environment, allowing for secure transactions. (A client may be a user or a network service.) Kerberos validates the identity of a client and the authenticity of transferred data. Kerberos is a \fIsingle-sign-on\fR system, meaning that a user needs to provide a password only at the beginning of a session. The Solaris Kerberos implementation is based on the Kerberos(TM) system developed at \fBMIT\fR, and is compatible with Kerberos V5 systems over heterogeneous networks. +.sp +.LP +Kerberos works by granting clients \fItickets\fR, which uniquely identify a client, and which have a finite lifetime. A client possessing a ticket is automatically validated for network services for which it is entitled; for example, a user with a valid Kerberos ticket may rlogin into another machine running Kerberos without having to identify itself. Because each client has a unique ticket, its identity is guaranteed. +.sp +.LP +To obtain tickets, a client must first initialize the Kerberos session, either by using the \fBkinit\fR(1) command or a \fBPAM\fR module. (See \fBpam_krb5\fR(5)). \fBkinit\fR prompts for a password, and then communicates with a \fIKey Distribution Center\fR (\fBKDC\fR). The \fBKDC\fR returns a \fITicket-Granting Ticket\fR (\fBTGT\fR) and prompts for a confirmation password. If the client confirms the password, it can use the Ticket-Granting Ticket to obtain tickets for specific network services. Because tickets are granted transparently, the user need not worry about their management. Current tickets may be viewed by using the \fBklist\fR(1) command. +.sp +.LP +Tickets are valid according to the system \fIpolicy\fR set up at installation time. For example, tickets have a default lifetime for which they are valid. A policy may further dictate that privileged tickets, such as those belonging to root, have very short lifetimes. Policies may allow some defaults to be overruled; for example, a client may request a ticket with a lifetime greater or less than the default. +.sp +.LP +Tickets can be renewed using \fBkinit\fR. Tickets are also \fIforwardable\fR, allowing you to use a ticket granted on one machine on a different host. Tickets can be destroyed by using \fBkdestroy\fR(1). It is a good idea to include a call to \fBkdestroy\fR in your \fB\&.logout\fR file. +.sp +.LP +Under Kerberos, a client is referred to as a \fIprincipal\fR. A principal takes the following form: +.sp +.in +2 +.nf +primary/instance@REALM +.fi +.in -2 +.sp + +.sp +.ne 2 +.mk +.na +\fBprimary\fR +.ad +.RS 12n +.rt +A user, a host, or a service. +.RE + +.sp +.ne 2 +.mk +.na +\fBinstance\fR +.ad +.RS 12n +.rt +A qualification of the primary. If the primary is a host \(em indicated by the keyword \fBhost\fR\(em then the instance is the fully-qualified domain name of that host. If the primary is a user or service, then the instance is optional. Some instances, such as \fBadmin\fR or \fBroot\fR, are privileged. +.RE + +.sp +.ne 2 +.mk +.na +\fBrealm\fR +.ad +.RS 12n +.rt +The Kerberos equivalent of a domain; in fact, in most cases the realm is directly mapped to a \fBDNS\fR domain name. Kerberos realms are given in upper-case only. For examples of principal names, see the EXAMPLES. +.RE + +.sp +.LP +By taking advantage of the General Security Services \fBAPI\fR (\fBGSS-API\fR), Kerberos offers, besides user authentication, two other types of security service: \fIintegrity\fR, which authenticates the validity of transmitted data, and \fIprivacy\fR, which encrypts transmitted data. Developers can take advantage of the \fBGSS-API\fR through the use of the RPCSEC_GSS \fBAPI\fR interface (see \fBrpcsec_gss\fR(3C)). +.SH EXAMPLES +.LP +\fBExample 1 \fRExamples of valid principal names +.sp +.LP +The following are examples of valid principal names: + +.sp +.in +2 +.nf + joe + joe/admin + joe@ENG.ACME.COM + joe/admin@ENG.ACME.COM + rlogin/bigmachine.eng.acme.com@ENG.ACME.COM + host/bigmachine.eng.acme.com@ENG.ACME.COM +.fi +.in -2 +.sp + +.sp +.LP +The first four cases are \fIuser principals\fR. In the first two cases, it is assumed that the user \fBjoe\fR is in the same realm as the client, so no realm is specified. Note that \fBjoe\fRand \fBjoe/admin\fR are different principals, even if the same user uses them; \fBjoe/admin\fR has different privileges from \fBjoe\fR. The fifth case is a \fIservice principal\fR, while the final case is a \fIhost principal\fR. The word \fBhost\fR is required for host principals. With host principals, the instance is the fully qualified hostname. Note that the words \fBadmin\fR and \fBhost\fR are reserved keywords. + +.SH SEE ALSO +.sp +.LP +\fBkdestroy\fR(1), \fBkinit\fR(1), \fBklist\fR(1), \fBkpasswd\fR(1), \fBkrb5.conf\fR(4), \fBkrb5envvar\fR(5) +.SH NOTES +.sp +.LP +In previous releases of the Solaris operating system, the Solaris Kerberos implementation was referred to as the "Sun Enterprise Authentication Mechanism" (SEAM). +.sp +.LP +If you enter your username and \fBkinit\fR responds with this message: +.sp +.in +2 +.nf +Principal unknown (kerberos) +.fi +.in -2 +.sp + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/krb5envvar.5 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/krb5envvar.5 Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,176 @@ +'\" te +.\" Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved. +.TH krb5envvar 5 "6 Dec 2013" "SunOS 5.12" "Standards, Environments, and Macros" +.SH NAME +krb5envvar \- Kerberos environment variables +.SH DESCRIPTION +.sp +.LP +The Kerberos mechanism provides a number of environment variables to configure different behavior in order to meet applications' needs. Environment variables used within the Kerberos mechanism are: +.sp +.ne 2 +.mk +.na +\fB\fBKRB5_KTNAME\fR\fR +.ad +.sp .6 +.RS 4n +Used by the mechanism to specify the location of the key table file. The variable can be set to the following value: +.sp +.in +2 +.nf +[[\fI\fR:]\fI\fR] +.fi +.in -2 + +where \fI\fR can be \fBFILE\fR or \fBWRFILE\fR. \fBFILE\fR is for read operations; \fBWRFILE\fR is for write operations. \fI\fR is the location of the \fBkeytab\fR file. +.sp +If \fBKRB5_KTNAME\fR is not defined, the default value is: +.sp +.in +2 +.nf +FILE:/etc/krb5/krb5.keytab +.fi +.in -2 + +The \fBkeytab\fR file is used to store credentials persistently and is used commonly for service daemons. +.sp +Specifying the \fBFILE\fR type assumes that the subsequent operations on the associated file are readable by the invoking process. Care must be taken to ensure that the file is readable only by the set of principals that need to retrieve their unencrypted keys. +.sp +The \fBWRFILE\fR type is used by the \fBkadmin\fR(1M) command. Specifying this type allows the administrator to designate an alternate \fBkeytab\fR file to write to without using extra command line arguments for file location. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBKRB5CCNAME\fR\fR +.ad +.sp .6 +.RS 4n +Used by the mechanism to specify the location of the credential cache. The variable can be set to the following value: +.sp +.in +2 +.nf +[[\fI\fR:]\fI\fR] +.fi +.in -2 + +where \fI\fR can be \fBFILE\fR or \fBMEMORY\fR. \fI\fR is the location of the principal's credential cache. +.sp +If \fBKRB5CCNAME\fR is not defined, the default value is: +.sp +.in +2 +.nf +FILE:/tmp/krb5cc_\fI\fR +.fi +.in -2 + +where \fI\fR is the user id of the process that created the cache file. +.sp +The credential cache file is used to store tickets that have been granted to the principal. +.sp +Specifying the \fBFILE\fR types assumes that subsequent operations on the associated file are readable and writable by the invoking process. Care must be taken to ensure that the file is accessible only by the set of principals that need to access their credentials. If the credential file is in a directory to which other users have write access, you need to set that directory's sticky bit (see \fBchmod\fR(1)). +.sp +The \fBMEMORY\fR credential cache type is used only in special cases, such as when making a temporary cache for the life of the invoking process. +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBKRB5RCNAME\fR\fR +.ad +.sp .6 +.RS 4n +Used by the mechanism to specify the type and location of the replay cache. The variable can be set to the following value: +.sp +.in +2 +.nf +[[\fI\fR:]\fI\fR] +.fi +.in -2 + +where \fI\fR can be either \fBFILE\fR, \fBMEMORY\fR, or \fBNONE\fR. \fI\fR is relevant only when specifying the replay cache file type. +.sp +If not defined, the default value is: +.sp +.in +2 +.nf +FILE:/var/krb5/rcache/root/rc_\fI\fR +.fi +.in -2 + +\&...if the process is owned by root, or: +.sp +.in +2 +.nf +FILE:/var/krb5/rcache/rc_\fI\fR +.fi +.in -2 + +\&...if the process is owned by a user other than root. \fI\fR is the service process name associated with the replay cache file. +.sp +The replay cache is used by Kerberos to detect the replay of authentication data. This prevents people who capture authentication messages on the network from authenticating to the server by resending these messages. +.sp +When specifying the \fBFILE\fR replay cache type, care must be taken to prevent the replay cache file from being deleted by another user. Make sure that every directory in the replay cache path is either writable only by the owner of the replay cache or that the sticky bit ("\fBt\fR") is set on every directory in the replay cache path to which others have write permission. +.sp +When specifying the \fBMEMORY\fR replay cache type you need to weigh the trade-off of performance against the slight security risk created by using a non-persistent cache. The risk occurs during system reboots when the following condition obtains: +.RS +4 +.TP +.ie t \(bu +.el o +The duration from the last write to the replay cache before reboot to the point when the Kerberized server applications are running is less than the Kerberos clockskew (see \fBkrb5.conf\fR(4)). +.RE +When specifying the \fBNONE\fR replay cache time you need to understand that this disables the replay cache, and all security risks that this presents. This includes all the risks outlined in this section of the man page. +.sp +Under this condition, the server applications can accept a replay of Kerberos authentication data (up to the difference between the time of the last write and the clockskew). Typically, this is a small window of time. If the server applications take longer than the clockskew to start accepting connections there is no replay risk. +.sp +The risk described above is the same when using \fBFILE\fR replay cache types when the replay cache resides on swap file systems, such as \fB/tmp\fR and \fB/var/run\fR. +.sp +The performance improvement in \fBMEMORY\fR replay cache types over \fBFILE\fR types is derived from the absence of disk I/O. This is true even if the \fBFILE\fR replay cache is on a memory-backed file system, such as swap (\fB/tmp\fR and \fB/var/run\fR). +.sp +Note that \fBMEMORY\fR-type caches are per-process caches, therefore use of these types of caches must be carefully considered. One example of where \fBMEMORY\fR-type caches can be problematic is when an application uses more than one process for establishing security contexts. In such a case, memory replay caches are not shared across the processes, thus allowing potential for replay attacks. +.RE + +.sp +.ne 2 +.mk +.na +\fBKRB5_CONFIG\fR +.ad +.sp .6 +.RS 4n +Allows the Kerberos library to read configuration parameters from a file other than \fB/etc/krb5/krb5.conf\fR. To use \fBkinit\fR from \fBksh\fR(1), use the following example: +.sp +.in +2 +.nf +KRB5_CONFIG=/var/tmp/krb5.conf kinit +.fi +.in -2 + +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for a description of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +\fBATTRIBUTE TYPE\fR\fBATTRIBUTE VALUE\fR +_ +Availabilitysystem/security/kerberos-5 +_ +Interface StabilityUncommitted +.TE + +.SH SEE ALSO +.sp +.LP +\fBchmod\fR(1), \fBkinit\fR(1), \fBklist\fR(1), \fBksh\fR(1), \fBkadmin\fR(1M), \fBkadmind\fR(1M), \fBkrb5.conf\fR(4), \fBattributes\fR(5), \fBkerberos\fR(5) diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/libgss.3lib --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/libgss.3lib Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,127 @@ +'\" te +.\" Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved. +.TH libgss 3LIB "22 Aug 2011" "SunOS 5.12" "Interface Libraries" +.SH NAME +libgss \- Generic Security Services library +.SH SYNOPSIS +.LP +.nf +cc [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ] +#include <\fBgssapi/gssapi.h\fR> +.fi + +.SH DESCRIPTION +.sp +.LP +The functions in this library are the routines that comprise the Generic Security Services library. +.sp +.LP +When \fBlibgss\fR fails to load or initialize a mechanism listed in \fB/etc/gss/mech\fR, a message is sent to \fBsyslog\fR(3C). +.SH INTERFACES +.sp +.LP +The shared object \fBlibgss.so.1\fR provides the public interfaces defined below. See \fBIntro\fR(3) for additional information on shared object interfaces. +.sp + +.sp +.TS +tab(); +lw(2.75i) lw(2.75i) +lw(2.75i) lw(2.75i) +. +\fBgss_accept_sec_context\fR\fBgss_acquire_cred\fR +\fBgss_add_cred\fR\fBgss_add_oid_set_member\fR +\fBGSS_C_NT_ANONYMOUS\fR\fBGSS_C_NT_EXPORT_NAME\fR +\fBGSS_C_NT_HOSTBASED_SERVICE\fR\fBGSS_C_NT_MACHINE_UID_NAME\fR +\fBGSS_C_NT_STRING_UID_NAME\fR\fBGSS_C_NT_USER_NAME\fR +\fBgss_canonicalize_name\fR\fBgss_compare_name\fR +\fBgss_context_time\fR\fBgss_create_empty_oid_set\fR +\fBgss_delete_sec_context\fR\fBgss_display_name\fR +\fBgss_display_status\fR\fBgss_duplicate_name\fR +\fBgss_export_name\fR\fBgss_export_sec_context\fR +\fBgss_get_mic\fR\fBgss_import_name\fR +\fBgss_import_sec_context\fR\fBgss_indicate_mechs\fR +\fBgss_init_sec_context\fR\fBgss_inquire_context\fR +\fBgss_inquire_cred\fR\fBgss_inquire_cred_by_mech\fR +\fBgss_inquire_mechs_for_name\fR\fBgss_inquire_names_for_mech\fR +\fBgss_process_context_token\fR\fBgss_release_buffer\fR +\fBgss_release_cred\fR\fBgss_release_name\fR +\fBgss_release_oid\fR\fBgss_release_oid_set\fR +\fBgss_seal\fR\fBgss_sign\fR +\fBgss_store_cred\fR\fBgss_test_oid_set_member\fR +\fBgss_unseal\fR\fBgss_unwrap\fR +\fBgss_verify\fR\fBgss_verify_mic\fR +\fBgss_wrap\fR\fBgss_wrap_size_limit\fR +.TE + +.sp +.LP +There are also the following extensions to the official GSS-API, defined in \fB\fR. +.sp + +.sp +.TS +tab(); +lw(2.56i) lw(2.94i) +lw(2.56i) lw(2.94i) +. +\fBgss_acquire_cred_impersonate_name\fR\fBgss_add_buffer_set_member\fR +\fBgss_add_cred_impersonate_name\fR\fBgss_create_empty_buffer_set\fR +\fBgss_delete_name_attribute\fR\fBgss_inquire_name\fR +\fBgss_inquire_sec_context_by_oid\fRT{ +\fBgss_get_name_attribute gss_release_buffer_set\fR +T} +\fBgss_set_name_attribute\fR +.TE + +.SH FILES +.sp +.ne 2 +.mk +.na +\fB\fB/usr/lib/libgss.so.1\fR\fR +.ad +.RS 27n +.rt +shared object +.RE + +.sp +.ne 2 +.mk +.na +\fB\fB/usr/lib/64/libgss.so.1\fR\fR +.ad +.RS 27n +.rt +64-bit shared object file +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +Availabilitysystem/library/security/gss +_ +Interface StabilityCommitted +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBpvs\fR(1), \fBIntro\fR(2), \fBIntro\fR(3), \fBsyslog\fR(3C), \fBattributes\fR(5) +.sp +.LP +\fISolaris Security for Developers Guide\fR diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/libkrb5.3lib --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/libkrb5.3lib Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,1038 @@ +'\" te +.\" Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved. +.TH libkrb5 3LIB "21 Apr 2011" "SunOS 5.12" "Interface Libraries" +.SH NAME +libkrb5 \- MIT Kerberos 5 library +.SH SYNOPSIS +.LP +.nf +\fBcc\fR \fB-I/usr/include/kerberosv5\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lkrb5\fR [ \fIlibrary\fR...] +#include <\fBkrb5.h\fR> +#include <\fBcom_err.h\fR> +.fi + +.SH DESCRIPTION +.sp +.LP +The functions in this library are the routines that comprise the MIT Kerberos 5 library. +.SH INTERFACES +.sp +.LP +The shared object \fBlibkrb5.so\fR provides the public interface defined below. +.sp +.LP +The \fBkrb5\fR library is provided as a convenience to allow native \fBkrb5\fR applications to be built and to run. Compatability between Solaris releases of the \fBkrb5\fR interface is not guaranteed. For new applications that require these features, \fBlibgss\fR(3LIB) is recomended. +.sp +.LP +For detailed documentation on the \fBkrb5\fR interface, see the MIT Kerberos 5 web site at \fBhttp://web.mit.edu/kerberos\fR. +.sp +.LP +The \fBkrb5_cc_gen_new\fR routine, listed in \fBkrb5.h\fR section, is flawed and should be avoided. Until a new routine is available from MIT, the following can be done: +.sp +.in +2 +.nf +char ccname[40]; +int tmpfd; + +snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX", + geteuid()); + +if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) { + log("mkstemp(): %.100s", strerror(errno)); + problem = errno; + goto fail; +} +if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { + log("fchmod(): %.100s", strerror(errno)); + close(tmpfd); + problem = errno; + goto fail; +} + close(tmpfd); +problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache); +\&... +fail: +.fi +.in -2 + +.sp +.LP +The \fBkrb5_string_to_key\fR and \fBkrb5_string_to_key\fR routines, listed in \fB\fR section, are part of the old cryptosystem and should not be used in new applications. +.SS "\fB\fR" +.br +.in +2 +\fBcom_err\fR +.in -2 +.br +.in +2 +\fBcom_err_va\fR +.in -2 +.br +.in +2 +\fBerror_message\fR +.in -2 +.SS "\fB\fR" +.br +.in +2 +\fBkrb5_address_compare\fR +.in -2 +.br +.in +2 +\fBkrb5_address_order\fR +.in -2 +.br +.in +2 +\fBkrb5_address_search\fR +.in -2 +.br +.in +2 +\fBkrb5_allow_weak_crypto\fR +.in -2 +.br +.in +2 +\fBkrb5_aname_to_localname\fR +.in -2 +.br +.in +2 +\fBkrb5_appdefault_boolean\fR +.in -2 +.br +.in +2 +\fBkrb5_appdefault_string\fR +.in -2 +.br +.in +2 +\fBkrb5_anonymous_principal\fR +.in -2 +.br +.in +2 +\fBkrb5_anonymous_realm\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_free\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_genaddrs\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_get_checksum_func\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_getaddrs\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_getauthenticator\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_getflags\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_getkey\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_getlocalseqnumber\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_getrcache\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_getrecvsubkey\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_getremoteseqnumber\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_getsendsubkey\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_init\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_set_checksum_func\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_setaddrs\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_setflags\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_setports\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_setrcache\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_setrecvsubkey\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_setsendsubkey\fR +.in -2 +.br +.in +2 +\fBkrb5_auth_con_setuseruserkey\fR +.in -2 +.br +.in +2 +\fBkrb5_build_principal\fR +.in -2 +.br +.in +2 +\fBkrb5_build_principal_ext\fR +.in -2 +.br +.in +2 +\fBkrb5_c_block_size\fR +.in -2 +.br +.in +2 +\fBkrb5_c_checksum_length\fR +.in -2 +.br +.in +2 +\fBkrb5_c_decrypt\fR +.in -2 +.br +.in +2 +\fBkrb5_c_encrypt\fR +.in -2 +.br +.in +2 +\fBkrb5_c_encrypt_length\fR +.in -2 +.br +.in +2 +\fBkrb5_c_enctype_compare\fR +.in -2 +.br +.in +2 +\fBkrb5_c_free_state\fR +.in -2 +.br +.in +2 +\fBkrb5_c_init_state\fR +.in -2 +.br +.in +2 +\fBkrb5_c_is_coll_proof_cksum\fR +.in -2 +.br +.in +2 +\fBkrb5_c_is_keyed_cksum\fR +.in -2 +.br +.in +2 +\fBkrb5_c_keyed_checksum_types\fR +.in -2 +.br +.in +2 +\fBkrb5_c_make_checksum\fR +.in -2 +.br +.in +2 +\fBkrb5_c_make_random_key\fR +.in -2 +.br +.in +2 +\fBkrb5_c_random_make_octets\fR +.in -2 +.br +.in +2 +\fBkrb5_c_string_to_key\fR +.in -2 +.br +.in +2 +\fBkrb5_c_string_to_key_with_params\fR +.in -2 +.br +.in +2 +\fBkrb5_c_valid_cksumtype\fR +.in -2 +.br +.in +2 +\fBkrb5_c_valid_enctype\fR +.in -2 +.br +.in +2 +\fBkrb5_c_verify_checksum\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_close\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_copy_creds\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_default\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_default_name\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_destroy\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_end_seq_get\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_gen_new\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_get_config\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_get_name\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_get_principal\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_get_type\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_initialize\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_next_cred\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_remove_cred\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_resolve\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_retrieve_cred\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_set_config\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_set_default_name\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_set_flags\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_start_seq_get\fR +.in -2 +.br +.in +2 +\fBkrb5_cc_store_cred\fR +.in -2 +.br +.in +2 +\fBkrb5_change_password\fR +.in -2 +.br +.in +2 +\fBkrb5_cksumtype_to_string\fR +.in -2 +.br +.in +2 +\fBkrb5_copy_addresses\fR +.in -2 +.br +.in +2 +\fBkrb5_copy_authdata\fR +.in -2 +.br +.in +2 +\fBkrb5_copy_authenticator\fR +.in -2 +.br +.in +2 +\fBkrb5_copy_checksum\fR +.in -2 +.br +.in +2 +\fBkrb5_copy_creds\fR +.in -2 +.br +.in +2 +\fBkrb5_copy_data\fR +.in -2 +.br +.in +2 +\fBkrb5_copy_keyblock\fR +.in -2 +.br +.in +2 +\fBkrb5_copy_keyblock_contents\fR +.in -2 +.br +.in +2 +\fBkrb5_copy_principal\fR +.in -2 +.br +.in +2 +\fBkrb5_copy_ticket\fR +.in -2 +.br +.in +2 +\fBkrb5_decode_authdata_container\fR +.in -2 +.br +.in +2 +\fBkrb5_decode_ticket\fR +.in -2 +.br +.in +2 +\fBkrb5_deltat_to_string\fR +.in -2 +.br +.in +2 +\fBkrb5_encode_authdata_container\fR +.in -2 +.br +.in +2 +\fBkrb5_enctype_to_string\fR +.in -2 +.br +.in +2 +\fBkrb5_free_addresses\fR +.in -2 +.br +.in +2 +\fBkrb5_free_ap_rep_enc_part\fR +.in -2 +.br +.in +2 +\fBkrb5_free_authdata\fR +.in -2 +.br +.in +2 +\fBkrb5_free_authenticator\fR +.in -2 +.br +.in +2 +\fBkrb5_free_checksum\fR +.in -2 +.br +.in +2 +\fBkrb5_free_checksum_contents\fR +.in -2 +.br +.in +2 +\fBkrb5_free_cksumtypes\fR +.in -2 +.br +.in +2 +\fBkrb5_free_context\fR +.in -2 +.br +.in +2 +\fBkrb5_free_cred_contents\fR +.in -2 +.br +.in +2 +\fBkrb5_free_creds\fR +.in -2 +.br +.in +2 +\fBkrb5_free_data\fR +.in -2 +.br +.in +2 +\fBkrb5_free_data_contents\fR +.in -2 +.br +.in +2 +\fBkrb5_free_default_realm\fR +.in -2 +.br +.in +2 +\fBkrb5_free_error\fR +.in -2 +.br +.in +2 +\fBkrb5_free_host_realm\fR +.in -2 +.br +.in +2 +\fBkrb5_free_keyblock\fR +.in -2 +.br +.in +2 +\fBkrb5_free_keyblock_contents\fR +.in -2 +.br +.in +2 +\fBkrb5_free_keytab_entry_contents\fR +.in -2 +.br +.in +2 +\fBkrb5_free_principal\fR +.in -2 +.br +.in +2 +\fBkrb5_free_realm_string\fR +.in -2 +.br +.in +2 +\fBkrb5_free_tgt_creds\fR +.in -2 +.br +.in +2 +\fBkrb5_free_ticket\fR +.in -2 +.br +.in +2 +\fBkrb5_free_unparsed_name\fR +.in -2 +.br +.in +2 +\fBkrb5_fwd_tgt_creds\fR +.in -2 +.br +.in +2 +\fBkrb5_get_credentials\fR +.in -2 +.br +.in +2 +\fBkrb5_get_credentials_renew\fR +.in -2 +.br +.in +2 +\fBkrb5_get_credentials_validate\fR +.in -2 +.br +.in +2 +\fBkrb5_get_default_realm\fR +.in -2 +.br +.in +2 +\fBkrb5_get_error_message\fR +.in -2 +.br +.in +2 +\fBkrb5_get_host_realm\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_keytab\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_get_fast_flags\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_init\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_address_list\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_anonymous\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_etype_list\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_fast_ccache_name\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_fast_flags\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_forwardable\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_out_ccache\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_preauth_list\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_proxiable\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_renew_life\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_salt\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_opt_set_tkt_life\fR +.in -2 +.br +.in +2 +\fBkrb5_get_key_data\fR +.in -2 +.br +.in +2 +\fBkrb5_get_key_enctype\fR +.in -2 +.br +.in +2 +\fBkrb5_get_key_length\fR +.in -2 +.br +.in +2 +\fBkrb5_get_init_creds_password\fR +.in -2 +.br +.in +2 +\fBkrb5_get_permitted_enctypes\fR +.in -2 +.br +.in +2 +\fBkrb5_get_profile\fR +.in -2 +.br +.in +2 +\fBkrb5_get_prompt_types\fR +.in -2 +.br +.in +2 +\fBkrb5_get_renewed_creds\fR +.in -2 +.br +.in +2 +\fBkrb5_get_server_rcache\fR +.in -2 +.br +.in +2 +\fBkrb5_get_validated_creds\fR +.in -2 +.br +.in +2 +\fBkrb5_init_allocated_keyblock\fR +.in -2 +.br +.in +2 +\fBkrb5_init_context\fR +.in -2 +.br +.in +2 +\fBkrb5_init_keyblock\fR +.in -2 +.br +.in +2 +\fBkrb5_init_secure_context\fR +.in -2 +.br +.in +2 +\fBkrb5_is_config_principal\fR +.in -2 +.br +.in +2 +\fBkrb5_is_thread_safe\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_add_entry\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_close\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_default\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_default_name\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_end_seq_get\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_get_entry\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_get_name\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_get_type\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_next_entry\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_read_service_key\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_remove_entry\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_resolve\fR +.in -2 +.br +.in +2 +\fBkrb5_kt_start_seq_get\fR +.in -2 +.br +.in +2 +\fBkrb5_kuserok\fR +.in -2 +.br +.in +2 +\fB krb5_make_authdata_kdc_issued\fR +.in -2 +.br +.in +2 +\fBkrb5_mk_error\fR +.in -2 +.br +.in +2 +\fBkrb5_mk_ncred\fR +.in -2 +.br +.in +2 +\fBkrb5_mk_priv\fR +.in -2 +.br +.in +2 +\fBkrb5_mk_rep\fR +.in -2 +.br +.in +2 +\fBkrb5_mk_req\fR +.in -2 +.br +.in +2 +\fBkrb5_mk_req_extended\fR +.in -2 +.br +.in +2 +\fBkrb5_mk_safe\fR +.in -2 +.br +.in +2 +\fBkrb5_mk_1cred\fR +.in -2 +.br +.in +2 +\fBkrb5_os_localaddr\fR +.in -2 +.br +.in +2 +\fBkrb5_pac_add_buffer\fR +.in -2 +.br +.in +2 +\fBkrb5_pac_free\fR +.in -2 +.br +.in +2 +\fBkrb5_pac_get_types\fR +.in -2 +.br +.in +2 +\fBkrb5_pac_get_buffer\fR +.in -2 +.br +.in +2 +\fBkrb5_pac_init\fR +.in -2 +.br +.in +2 +\fBkrb5_pac_parse\fR +.in -2 +.br +.in +2 +\fBkrb5_pac_verify\fR +.in -2 +.br +.in +2 +\fBkrb5_parse_name\fR +.in -2 +.br +.in +2 +\fBkrb5_principal_compare\fR +.in -2 +.br +.in +2 +\fBkrb5_principal2salt\fR +.in -2 +.br +.in +2 +\fBkrb5_prompter_posix\fR +.in -2 +.br +.in +2 +\fBkrb5_rd_cred\fR +.in -2 +.br +.in +2 +\fBkrb5_rd_error\fR +.in -2 +.br +.in +2 +\fBkrb5_rd_priv\fR +.in -2 +.br +.in +2 +\fBkrb5_rd_rep\fR +.in -2 +.br +.in +2 +\fBkrb5_rd_req\fR +.in -2 +.br +.in +2 +\fBkrb5_rd_safe\fR +.in -2 +.br +.in +2 +\fBkrb5_read_password\fR +.in -2 +.br +.in +2 +\fBkrb5_realm_compare\fR +.in -2 +.br +.in +2 +\fBkrb5_realm_iterator\fR +.in -2 +.br +.in +2 +\fBkrb5_realm_iterator_create\fR +.in -2 +.br +.in +2 +\fBkrb5_realm_iterator_free\fR +.in -2 +.br +.in +2 +\fBkrb5_recvauth\fR +.in -2 +.br +.in +2 +\fBkrb5_recvauth_version\fR +.in -2 +.br +.in +2 +\fBkrb5_salttype_to_string\fR +.in -2 +.br +.in +2 +\fBkrb5_sendauth\fR +.in -2 +.br +.in +2 +\fBkrb5_set_default_realm\fR +.in -2 +.br +.in +2 +\fBkrb5_set_default_tgs_enctypes\fR +.in -2 +.br +.in +2 +\fBkrb5_set_key_data\fR +.in -2 +.br +.in +2 +\fBkrb5_set_key_enctype\fR +.in -2 +.br +.in +2 +\fBkrb5_set_key_length\fR +.in -2 +.br +.in +2 +\fBkrb5_set_password\fR +.in -2 +.br +.in +2 +\fBkrb5_set_password_using_ccache\fR +.in -2 +.br +.in +2 +\fBkrb5_set_principal_realm\fR +.in -2 +.br +.in +2 +\fBkrb5_set_real_time\fR +.in -2 +.br +.in +2 +\fBkrb5_sname_to_principal\fR +.in -2 +.br +.in +2 +\fBkrb5_string_to_cksumtype\fR +.in -2 +.br +.in +2 +\fBkrb5_string_to_deltat\fR +.in -2 +.br +.in +2 +\fBkrb5_string_to_enctype\fR +.in -2 +.br +.in +2 +\fBkrb5_string_to_key\fR +.in -2 +.br +.in +2 +\fBkrb5_string_to_salttype\fR +.in -2 +.br +.in +2 +\fBkrb5_string_to_timestamp\fR +.in -2 +.br +.in +2 +\fBkrb5_timeofday\fR +.in -2 +.br +.in +2 +\fBkrb5_timestamp_to_sfstring\fR +.in -2 +.br +.in +2 +\fBkrb5_timestamp_to_string\fR +.in -2 +.br +.in +2 +\fBkrb5_unparse_name\fR +.in -2 +.br +.in +2 +\fBkrb5_unparse_name_ext\fR +.in -2 +.br +.in +2 +\fBkrb5_us_timeofday\fR +.in -2 +.br +.in +2 +\fBkrb5_use_enctype\fR +.in -2 +.br +.in +2 +\fBkrb5_verify_authdata_kdc_issued\fR +.in -2 +.br +.in +2 +\fBkrb5_verify_init_creds\fR +.in -2 +.br +.in +2 +\fBkrb5_verify_init_creds_opt_init\fR +.in -2 +.br +.in +2 +\fBkrb5_verify_init_creds_opt_set_ap_req_nofail\fR +.in -2 +.br +.in +2 +\fBkrb5_xfree\fR +.in -2 +.br +.in +2 +\fBkrb5_xfree_wrap\fR +.in -2 +.SH FILES +.sp +.ne 2 +.mk +.na +\fB\fB/usr/lib/libkrb5.so.1\fR\fR +.ad +.RS 28n +.rt +shared object +.RE + +.sp +.ne 2 +.mk +.na +\fB\fB/usr/lib/64/libkrb5.so.1\fR\fR +.ad +.RS 28n +.rt +64-bit shared object +.RE + +.SH ATTRIBUTES +.sp +.LP +See \fBattributes\fR(5) for descriptions of the following attributes: +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +ATTRIBUTE TYPEATTRIBUTE VALUE +_ +Availabilityservice/security/kerberos-5 +_ +Interface StabilityVolatile +_ +MT-LevelSafe +.TE + +.SH SEE ALSO +.sp +.LP +\fBkrb5-config\fR(1), \fBlibgss\fR(3LIB), \fBattributes\fR(5) diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/zh_CN.UTF-8/kerberos.5 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/zh_CN.UTF-8/kerberos.5 Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,117 @@ +'\" te +.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved +.TH kerberos 5 "2008 年 10 月 1 日" "SunOS 5.12" "标准、环境和宏" +.SH 名称 +kerberos \- Solaris Kerberos 实现概述 +.SH 描述 +.sp +.LP +Solaris Kerberos 实现(后文有时简称为 "Kerberos")会验证网络环境中的客户机,从而实现安全事务。(客户机可以是用户或网络服务。)Kerberos 会验证客户机的身份以及所传输数据的真实性。Kerberos 是\fIsingle-sign-on\fR系统,意味着用户仅需要在会话开始时提供口令。Solaris Kerberos 实现是基于 \fBMIT\fR 开发的 Kerberos(TM) 系统,并与异构网络上的 Kerberos V5 系统兼容。 +.sp +.LP +Kerberos 通过授予客户机\fI票证\fR发挥作用,票证可唯一地标识客户机并具有有限生命周期。将针对票证所属网络服务自动验证拥有票证的客户机;例如,具有有效 Kerberos 票证的用户可登录运行 Kerberos 的其他计算机,而无需标识自身。由于每个客户机均具有唯一的票证,因此可保证其身份。 +.sp +.LP +要获得票证,客户机必须首先使用 \fBkinit\fR(1) 命令或 \fBPAM\fR 模块初始化 Kerberos 会话。(请参见 \fBpam_krb5\fR(5))。\fBkinit\fR 提示输入口令,然后与密钥分发中心 (\fIKey Distribution Center\fR, \fBKDC\fR) 通信。\fBKDC\fR 返回票证授予票证 (\fITicket-Granting Ticket\fR, \fBTGT\fR) 并提示输入确认口令。如果客户机确认口令,则它可以使用票证授予票证来获得特定网络服务的票证。因为以透明方式授予票证,所以用户无需担心票证管理。可使用 \fBklist\fR(1) 命令查看当前票证。 +.sp +.LP +票证的有效性取决于安装时设置的系统\fI策略\fR。例如,票证具有缺省的有效生命周期。策略可以进一步指示特权票证(如属于 root 的票证)具有很短的生命周期。策略还可以允许覆盖某些缺省值;例如,客户机可以请求生命周期大于或小于缺省值的票证。 +.sp +.LP +可使用 \fBkinit\fR 更新票证。票证也是\fI可转发的\fR,允许您将一台计算机上授予的票证用在其他主机上。可使用 \fBkdestroy\fR(1) 销毁票证。在 \fB\&.logout\fR 文件中包含 \fBkdestroy\fR 调用是个不错的选择。 +.sp +.LP +在 Kerberos 中,客户机称为\fI主体\fR。主体的格式如下: +.sp +.in +2 +.nf +primary/instance@REALM +.fi +.in -2 +.sp + +.sp +.ne 2 +.mk +.na +\fBprimary\fR +.ad +.RS 12n +.rt +用户、主机或服务。 +.RE + +.sp +.ne 2 +.mk +.na +\fBinstance\fR +.ad +.RS 12n +.rt +主体的限定。如果主体为主机(由关键字 \fBhost\fR 表示),则实例是该主机的完全限定域名。如果主体是用户或服务,则实例是可选项。某些实例具有特权,如 \fBadmin\fR 或 \fBroot\fR。 +.RE + +.sp +.ne 2 +.mk +.na +\fBrealm\fR +.ad +.RS 12n +.rt +域的 Kerberos 等效项;事实上,在大部分情况下领域直接映射到 \fBDNS\fR 域名。提供的 Kerberos 领域仅可为大写。有关主体名称的示例,请参见“示例”。 +.RE + +.sp +.LP +通过利用一般安全服务 \fBAPI\fR (General Security Services API, \fBGSS-API\fR),Kerberos 还提供用户验证以外的其他两种类型的安全服务:\fI完整性\fR(验证所传输数据的有效性)以及\fI保密性\fR(加密所传输的数据)。开发人员可通过使用 RPCSEC_GSS \fBAPI\fR 接口来利用 \fBGSS-API\fR(请参见 \fBrpcsec_gss\fR(3NSL))。 +.SH 示例 +.LP +\fB示例 1 \fR有效主体名称的示例 +.sp +.LP +以下是有效的主体名称示例: + +.sp +.in +2 +.nf + joe + joe/admin + joe@ENG.ACME.COM + joe/admin@ENG.ACME.COM + rlogin/bigmachine.eng.acme.com@ENG.ACME.COM + host/bigmachine.eng.acme.com@ENG.ACME.COM +.fi +.in -2 +.sp + +.sp +.LP +前四个例子是\fI用户主体\fR。在前两个例子中,假设用户 \fBjoe\fR 与客户机处于相同领域,所以未指定领域。请注意,即使同一用户在使用 \fBjoe\fR 和 \fBjoe/admin\fR,它们仍是不同的主体;\fBjoe/admin\fR 拥有与 \fBjoe\fR 不同的特权。第五个例子是\fI服务主体\fR,而最后一个例子是\fI主机主体\fR。对于主机主体,需要 \fBhost\fR 这一单词。有了主机主体,实例即是完全限定主机名。请注意,单词 \fBadmin\fR 和 \fBhost\fR 是保留关键字。 + +.SH 另请参见 +.sp +.LP +\fBkdestroy\fR(1)、\fBkinit\fR(1)、\fBklist\fR(1)、\fBkpasswd\fR(1)、\fBkrb5.conf\fR(4)、\fBkrb5envvar\fR(5) +.sp +.LP +《\fI《系统管理指南:安全服务》\fR》 +.SH 附注 +.sp +.LP +在以前版本的 Solaris 操作系统中,Solaris Kerberos 实现称为“Sun Enterprise 验证机制”(Sun Enterprise Authentication Mechanism, SEAM)。 +.sp +.LP +如果输入您的用户名,\fBkinit\fR 会以下面的消息响应: +.sp +.in +2 +.nf +Principal unknown (kerberos) +.fi +.in -2 +.sp + +.sp +.LP +您尚未注册为 Kerberos 用户。请与您的系统管理员联系或请参见《\fI《系统管理指南:安全性服务》\fR》。 diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/man/zh_CN.UTF-8/krb5envvar.5 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/man/zh_CN.UTF-8/krb5envvar.5 Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,178 @@ +'\" te +.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved +.TH krb5envvar 5 "2008 年 2 月 13 日" "SunOS 5.12" "标准、环境和宏" +.SH 名称 +krb5envvar \- Kerberos 环境变量 +.SH 描述 +.sp +.LP +Kerberos 机制提供了许多环境变量,可配置不同行为来满足应用程序的需求。Kerberos 机制中使用的环境变量包括: +.sp +.ne 2 +.mk +.na +\fB\fBKRB5_KTNAME\fR\fR +.ad +.sp .6 +.RS 4n +由机制用于指定密钥表文件的位置。该变量可设置为以下值: +.sp +.in +2 +.nf +[[\fI\fR:]\fI\fR] +.fi +.in -2 + +其中 \fI\fR 可以为 \fBFILE\fR 或 \fBWRFILE\fR。\fBFILE\fR 表示读取操作;\fBWRFILE\fR 表示写入操作。\fI\fR 是 \fBkeytab\fR 文件的位置。 +.sp +r +.sp +如果未定义 \fBKRB5_KTNAME\fR,缺省值为: +.sp +.in +2 +.nf +FILE:/etc/krb5/krb5.keytab +.fi +.in -2 + +\fBkeytab\fR 文件用于永久存储凭证并且通常用于服务守护进程。 +.sp +指定 \fBFILE\fR 类型即假设对关联文件的后续操作可由调用进程读取。务必小心确保文件仅可供需要检索未加密密钥的主体集读取。 +.sp +\fBWRFILE\fR 类型由 \fBkadmin\fR(1M) 命令使用。指定此类型可允许管理员指定要写入的替代 \fBkeytab\fR 文件,而无需对文件位置使用其他命令行参数。 +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBKRB5CCNAME\fR\fR +.ad +.sp .6 +.RS 4n +由机制用于指定凭证高速缓存的位置。该变量可设置为以下值: +.sp +.in +2 +.nf +[[\fI\fR:]\fI\fR] +.fi +.in -2 + +其中,\fI\fR 可以是 \fBFILE\fR 或 \fBMEMORY\fR。\fI\fR 是主体的凭证高速缓存的位置。 +.sp +如果未定义 \fBKRB5CCNAME\fR,缺省值为: +.sp +.in +2 +.nf +FILE:/tmp/krb5cc_\fI\fR +.fi +.in -2 + +其中,\fI\fR 是创建高速缓存文件的进程的用户 ID。 +.sp +凭证高速缓存文件用于存储已授予主体的票证。 +.sp +指定 \fBFILE\fR 类型即假设对关联文件的后续操作可由调用进程读取和写入。务必小心确保文件仅可供需要访问凭证的主体集访问。如果凭证文件位于其他用户拥有写入访问权的目录中,则需要设置该目录的 Sticky 位(请参见 \fBchmod\fR(1))。 +.sp +\fBMEMORY\fR 凭证高速缓存类型仅在特殊情况下使用,如为调用进程的生命周期创建临时高速缓存时。 +.RE + +.sp +.ne 2 +.mk +.na +\fB\fBKRB5RCNAME\fR\fR +.ad +.sp .6 +.RS 4n +由机制用于指定重放高速缓存的类型和位置。该变量可设置为以下值: +.sp +.in +2 +.nf +[[\fI\fR:]\fI\fR] +.fi +.in -2 + +其中,\fI\fR 可以是 \fBFILE\fR、\fBMEMORY\fR 或 \fBNONE\fR。\fI\fR 仅在指定重放高速缓存文件类型时相关。 +.sp +如果未定义,缺省值为: +.sp +.in +2 +.nf +FILE:/var/krb5/rcache/root/rc_\fI\fR +.fi +.in -2 + +\&...如果进程的所有者为 root,或: +.sp +.in +2 +.nf +FILE:/var/krb5/rcache/rc_\fI\fR +.fi +.in -2 + +\&...如果进程的所有者为 root 以外的用户。\fI\fR 是与重放高速缓存文件相关联的服务进程名称。 +.sp +重放高速缓存由 Kerberos 用于检测验证数据的重放。这可防止在网络上捕捉验证消息的人员通过重新发送这些消息来针对服务器进行验证。 +.sp +当指定 \fBFILE\fR 重放高速缓存类型时,必须小心防止其他用户删除重放高速缓存文件。请确保重放高速缓存路径中的每个目录仅可由重放高速缓存的所有者写入,或者其他人具有写入权限的重放高速缓存路径中每个目录上均已设置 Sticky 位 ("\fBt\fR")。 +.sp +当指定 \fBMEMORY\fR 重放高速缓存类型时,您需要在性能与使用非持久性高速缓存产生的轻度安全风险之间进行权衡。系统重新引导期间发生以下状况即会产生风险: +.RS +4 +.TP +.ie t \(bu +.el o +从重新引导前上次写入重放高速缓存到 Kerberos 服务器应用程序运行时的持续时间少于 Kerberos 时钟相位差(请参见 \fBkrb5.conf\fR(4))。 +.RE +当指定 \fBNONE\fR 重放高速缓存时间时,您需要了解这将会禁用重放高速缓存及其所带来的全部安全性风险。这包括手册页的此部分中所述的全部风险。 +.sp +在此状况下,服务器应用程序可接受重放 Kerberos 验证数据(直到上次写入时与时钟相位差之间的差异为止)。通常,这是一小段时间而已。如果服务器应用程序开始接受连接所花的时间比时钟相位差长,则没有重放风险。 +.sp +如果重放高速缓存位于 swap 文件系统(如 \fB/tmp\fR 和 \fB/var/run\fR)中时使用 \fBFILE\fR 重放高速缓存类型,仍存在上述风险。 +.sp +通过 \fBFILE\fR 类型的 \fBMEMORY\fR 重放高速缓存类型性能改进得益于无需磁盘 I/O。即使 \fBFILE\fR 重放高速缓存位于内存备份文件系统上仍是如此,如 swap(\fB/tmp\fR 和 \fB/var/run\fR)。 +.sp +请注意,\fBMEMORY\fR 类型高速缓存是每进程高速缓存,因此必须谨慎使用这些类型的高速缓存。\fBMEMORY\fR 类型高速缓存可能产生问题的示例之一即是应用程序使用多个进程来建立安全上下文。在此情况下,内存重放高速缓存不会在进程中共享,从而使重放攻击成为可能。 +.RE + +.sp +.ne 2 +.mk +.na +\fBKRB5_CONFIG\fR +.ad +.sp .6 +.RS 4n +允许您更改 \fB/etc/krb5/krb5.conf\fR 文件的缺省位置,以使 Kerberos 库代码从 KRB5_CONFIG 指定的其他文件中读取配置参数。例如(使用 \fBksh\fR(1) 的 kinit): +.sp +.in +2 +.nf + KRB5_CONFIG=/var/tmp/krb5.conf kinit +.fi +.in -2 + +.RE + +.SH 属性 +.sp +.LP +有关以下属性的说明,请参见 \fBattributes\fR(5): +.sp + +.sp +.TS +tab() box; +cw(2.75i) |cw(2.75i) +lw(2.75i) |lw(2.75i) +. +属性类型\fB\fR属性值\fB\fR +_ +可用性system/security/kerberos-5 +_ +接口稳定性Uncommitted(未确定) +.TE + +.SH 另请参见 +.sp +.LP +\fBchmod\fR(1)、\fBkinit\fR(1)、\fBklist\fR(1)、\fBksh\fR(1)、\fBkadmin\fR(1M)、\fBkadmind\fR(1M)、\fBkrb5.conf\fR(4)、\fBattributes\fR(5)、\fBkerberos\fR(5) diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/mech --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/mech Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,9 @@ +# +# Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. +# +# This file contains the GSS-API based security mechanism names, +# its object identifier (OID) and a shared library that implements +# the services for that mechanism under GSS-API. +# +# Mechanism Name Object Identifier Shared Library +# diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/missing_interfaces.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/missing_interfaces.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* + * missing_interfaces.c: + * + * Following two interfaces are to provide runtime dependencies for kerberos + * related components staying in ON. + * + */ +#include +#include + +/* avoid including krb5-int.h, it defines functions and introduces deps */ +extern void k5_des_fixup_key_parity(unsigned char *keybits); +extern krb5_error_code k5_os_init_context(krb5_context context, + profile_t profile, krb5_flags flags); +typedef unsigned char mit_des_cblock[8]; + +void +mit_des_fixup_key_parity(mit_des_cblock key) +{ + k5_des_fixup_key_parity(key); +} + +krb5_error_code +krb5_os_init_context(krb5_context ctx, krb5_boolean kdc) +{ + return k5_os_init_context(ctx, NULL, kdc? 0x2 : 0x0); +} diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/privacy_allowed.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/privacy_allowed.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,19 @@ +/* + * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* + * privacy_allowed.c: + * + * This is to provide a solaris specific interface to meet the dependencies of + * ON. + * + */ + +#include + +krb5_boolean +krb5_privacy_allowed(void) +{ + return (TRUE); +} diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/prof_solaris.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/prof_solaris.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,1362 @@ +/* + * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* + * prof_solaris.c: + * Abstracted contract private interfaces for configuring krb5.conf(4). + */ + +#include +#include +#include "prof_solaris.h" +#include "k5-int.h" +#include "../../util/profile/prof_int.h" + +struct profile_string_list { + char **list; + unsigned int num; + unsigned int max; +}; + +/* + * Initialize the string list abstraction. + */ +static errcode_t init_list(struct profile_string_list *list) +{ + list->num = 0; + list->max = 10; + list->list = malloc(list->max * sizeof (char *)); + if (list->list == 0) + return ENOMEM; + list->list[0] = 0; + return 0; +} + +/* + * Free any memory left over in the string abstraction, returning the + * built up list in *ret_list if it is non-null. + */ +static void end_list(struct profile_string_list *list, char ***ret_list) +{ + char **cp; + + if (list == 0) + return; + + if (ret_list) { + *ret_list = list->list; + return; + } else { + for (cp = list->list; *cp; cp++) + free(*cp); + free(list->list); + } + list->num = list->max = 0; + list->list = 0; +} + +/* + * Add a string to the list. + */ +static errcode_t add_to_list(struct profile_string_list *list, const char *str) +{ + char *newstr, **newlist; + unsigned int newmax; + + if (list->num+1 >= list->max) { + newmax = list->max + 10; + newlist = realloc(list->list, newmax * sizeof (char *)); + if (newlist == 0) + return ENOMEM; + list->max = newmax; + list->list = newlist; + } + newstr = strdup(str); + if (newstr == 0) + return ENOMEM; + + list->list[list->num++] = newstr; + list->list[list->num] = 0; + return 0; +} + +/* + * key: + * If key is NULL then all entries in the section specified are returned. + * case_ins: + * If set a case insensitive lookup is performed and if found then only one + * entry is returned which only differs by case. + * If unset a case sensitive lookup is performed and all entries matching + * the lookup are returned. + */ +errcode_t +k5_profile_iter_name_value(profile_t profile, char *section, char *key, + char ***retvals, boolean_t case_ins) +{ + const char *hierarchy[4]; + errcode_t code, code2; + char *name = NULL, *value = NULL, **ret_values = NULL; + void *state = NULL; + struct profile_string_list values; + boolean_t found = B_FALSE; + + hierarchy[0] = section; + hierarchy[1] = NULL; + + if (code = init_list(&values)) + return (code); + + code = profile_iterator_create(profile, hierarchy, + PROFILE_ITER_LIST_SECTION, &state); + /* Change loop condition to fix the profile iterator issue */ + while (state != NULL) { + code = profile_iterator(&state, &name, &value); + if (code == 0 && name != NULL) { + + if (key != NULL && value != NULL) { + boolean_t ex_match = strcmp(key, value) ? + B_FALSE : B_TRUE; + boolean_t match = strcasecmp(key, value) ? + B_FALSE : B_TRUE; + + if (ex_match == B_FALSE && case_ins == B_TRUE && + match == B_TRUE) { + code2 = add_to_list(&values, name); + if (code2 != 0) { + end_list(&values, 0); + code = code2; + } else + end_list(&values, &ret_values); + goto cleanup; + } else if (ex_match == B_FALSE || + case_ins == B_TRUE) + goto not_found; + } + code2 = add_to_list(&values, name); + if (code2 != 0) { + end_list(&values, 0); + code = code2; + goto cleanup; + } + found = B_TRUE; + } + +not_found: + if (name != NULL) { + profile_release_string(name); + name = NULL; + } + if (value != NULL) { + profile_release_string(value); + value = NULL; + } + } + code = 0; + if (found == B_TRUE) + end_list(&values, &ret_values); + else + end_list(&values, 0); + +cleanup: + if (state != NULL) + profile_iterator_free(&state); + if (name != NULL) + profile_release_string(name); + if (value != NULL) + profile_release_string(value); + + *retvals = ret_values; + + return (code); +} + +errcode_t +k5_profile_get_domain_realm(profile_t profile, char *realm, char ***domains, + boolean_t case_ins) +{ + if (profile == NULL || realm == NULL || domains == NULL) + return (EINVAL); + + return (k5_profile_iter_name_value(profile, "domain_realm", realm, + domains, case_ins)); +} + +errcode_t +k5_profile_set_appdefaults(profile_t profile) +{ + const char *hierarchy[4]; + errcode_t code; + + if (profile == NULL) + return (EINVAL); + + hierarchy[0] = "appdefaults"; + hierarchy[1] = "kinit"; + hierarchy[3] = NULL; + + hierarchy[2] = "renewable"; + + /* + * Not fatal if this fails, continue on. + */ + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, "true"); + if (code != 0) + return (code); + + hierarchy[2] = "forwardable"; + + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, "true"); + + return (code); +} + +errcode_t +k5_profile_set_logging(profile_t profile) +{ + const char *hierarchy[4]; + errcode_t code; + + if (profile == NULL) + return (EINVAL); + + hierarchy[0] = "logging"; + hierarchy[2] = NULL; + hierarchy[3] = NULL; + + hierarchy[1] = "default"; + + /* + * Not fatal if this fails, continue on. + */ + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, + "FILE:/var/krb5/kdc.log"); + if (code != 0) + return (code); + + hierarchy[1] = "kdc"; + + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, + "FILE:/var/krb5/kdc.log"); + if (code != 0) + return (code); + + hierarchy[1] = "kdc_rotate"; + + hierarchy[2] = "period"; + + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, "1d"); + if (code != 0) + return (code); + + hierarchy[2] = "versions"; + + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, "10"); + + return (code); +} + +/* + * DEPRECATED - use k5_profile_add_libdefaults_entry() instead. + * + * errcode_t k5_profile_set_libdefaults(profile_t profile, char *realm) + * + * where profile was the pointer passed back by k5_profile_init + * where realm is the realm name to be added as the default_realm + */ +errcode_t +k5_profile_set_libdefaults(profile_t profile, char *realm) +{ + const char *hierarchy[4]; + errcode_t code; + + if (profile == NULL || realm == NULL) + return (EINVAL); + + hierarchy[0] = "libdefaults"; + hierarchy[1] = "default_realm"; + hierarchy[2] = NULL; + + /* + * Not fatal if this fails, continue on. + */ + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, realm); + + return (code); +} + +errcode_t +k5_profile_set_kdc(profile_t profile, char *realm, char *kdc, + boolean_t overwrite) +{ + const char *hierarchy[4]; + errcode_t code; + + if (profile == NULL || realm == NULL || kdc == NULL) + return (EINVAL); + + hierarchy[0] = "realms"; + hierarchy[1] = realm; + hierarchy[3] = NULL; + + hierarchy[2] = "kdc"; + + if (overwrite == B_TRUE) { + /* + * Not fatal if this fails, continue on. + */ + (void) profile_clear_relation(profile, hierarchy); + } + + code = profile_add_relation(profile, hierarchy, kdc); + + return (code); +} + +/* + * errcode_t k5_profile_release(profile_t profile) + * + * where profile was the pointer passed back by k5_profile_init + * Note: used to commit the associated profile to the backing store + * (e.g. file) and free profile memory + * Note: that this function returns an error code which profile_release + * does not. With the error code, the application can determine if they + * need to free the resulting profile information in memory + */ +errcode_t +k5_profile_release(profile_t profile) +{ + prf_file_t p, next; + errcode_t code; + + if (profile == NULL || profile->magic != PROF_MAGIC_PROFILE) + return (EINVAL); + + for (p = profile->first_file; p; p = next) { + next = p->next; + if ((code = profile_close_file(p)) != 0) + return (code); + } + profile->magic = 0; + free(profile); + + return (0); +} + +/* + * void k5_profile_abandon(profile_t profile) + * + * where profile was the pointer passed back by k5_profile_init + * Note: used to free any profile information in memory. Typically can + * be used in conjunction with k5_profile_release upon error + */ +void +k5_profile_abandon(profile_t profile) +{ + profile_abandon(profile); +} + +/* + * errcode_t k5_profile_add_domain_mapping(profile_t profile, char *domain, + * char *realm) + * + * where profile was the pointer passed back by k5_profile_init + * where domain is the domain name of the associated realm name + * where realm is the corresponding realm name for the domain + */ +errcode_t +k5_profile_add_domain_mapping(profile_t profile, char *domain, char *realm) +{ + const char *hierarchy[4]; + errcode_t code = 0; + + if (profile == NULL || domain == NULL || realm == NULL) + return (EINVAL); + + hierarchy[0] = "domain_realm"; + hierarchy[1] = domain; + hierarchy[2] = NULL; + + /* + * Not fatal if relation can't be cleared, continue on. + */ + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, realm); + + return (code); +} + +/* + * errcode_t k5_profile_remove_domain_mapping(profile_t profile, char *realm) + * + * where profile was the pointer passed back by k5_profile_init + * where realm is the corresponding realm name for the domain + * Note: for the remove function, all matching domain - realm mappings + * will be removed for realm + */ +errcode_t +k5_profile_remove_domain_mapping(profile_t profile, char *realm) +{ + const char *hierarchy[4]; + errcode_t code; + char **domains = NULL, **domain = NULL; + + if (profile == NULL || realm == NULL) + return (EINVAL); + + hierarchy[0] = "domain_realm"; + hierarchy[1] = NULL; + hierarchy[2] = NULL; + + code = k5_profile_get_domain_realm(profile, realm, &domains, B_FALSE); + if (code == 0 && domains != NULL) { + for (domain = domains; *domain; domain++) { + hierarchy[1] = *domain; + code = profile_clear_relation(profile, hierarchy); + if (code != 0) + goto error; + } + } + +error: + if (domains != NULL) + profile_free_list(domains); + + return (code); +} + +/* + * errcode_t k5_profile_get_realm_entry(profile_t profile, char *realm, + * char *name, char ***ret_value) + * + * where profile was the pointer passed back by k5_profile_init + * where realm is the target realm for lookup + * where name is the name in the realm section requested + * where ret_value is a string array of any matching values assigned to name. + * The array is terminated with a NULL pointer. + * Note: if name has not been configured then NULL is returned for ret_value. + */ +errcode_t +k5_profile_get_realm_entry(profile_t profile, char *realm, char *name, + char ***ret_value) +{ + const char *hierarchy[4]; + errcode_t code; + + if (profile == NULL || realm == NULL || name == NULL || + ret_value == NULL) + return (EINVAL); + + *ret_value = NULL; + + hierarchy[0] = "realms"; + hierarchy[1] = realm; + hierarchy[2] = name; + hierarchy[3] = NULL; + + code = profile_get_values(profile, hierarchy, ret_value); + + if (code == PROF_NO_RELATION) + code = 0; + + return (code); +} + +/* + * errcode_t k5_profile_add_realm_entry(profile_t profile, char *realm, + * char *name, char **value) + * + * where profile was the pointer passed back by k5_profile_init + * where realm is the target realm for the name-value pair + * where name is the name in the realm subsection to add + * where value is a string array values to assigned to name. The array is + * terminated with a NULL pointer. + * Note: if the realm subsection does no exist then an error is returned + * Note: if the name already exists the set is overwritten with the values + * passed + */ +errcode_t +k5_profile_add_realm_entry(profile_t profile, char *realm, char *name, + char **values) +{ + const char *hierarchy[4]; + errcode_t code; + char **tvalue = NULL; + + if (profile == NULL || realm == NULL || name == NULL || values == NULL) + return (EINVAL); + + hierarchy[0] = "realms"; + hierarchy[1] = realm; + hierarchy[2] = name; + hierarchy[3] = NULL; + + /* + * Not fatal if this fails, continue on. + */ + (void) profile_clear_relation(profile, hierarchy); + + for (tvalue = values; *tvalue; tvalue++) { + + code = profile_add_relation(profile, hierarchy, *tvalue); + if (code != 0) + return (code); + } + + return (0); +} + +/* + * DEPRECATED - use k5_profile_get_libdefaults_entry() instead. + * + * errcode_t k5_profile_get_default_realm(profile_t profile, char **realm) + * where profile was the pointer passed back by k5_profile_init + * where realm is the default_realm configured for the system + * Note: if default_realm has not been configured then NULL is returned for + * realm. + */ +errcode_t +k5_profile_get_default_realm(profile_t profile, char **realm) +{ + errcode_t code; + + if (profile == NULL || realm == NULL) + return (EINVAL); + + *realm = NULL; + + code = profile_get_string(profile, "libdefaults", "default_realm", 0, 0, + realm); + + if (code == PROF_NO_RELATION) + code = 0; + + return (code); +} + +/* + * errcode_t k5_profile_get_realms(profile_t profile, char ***realms) + * + * where profile was the pointer passed back by k5_profile_init + * where realms is a string array of realm names currently configured. + * The array is terminated with a NULL pointer. + * Note: if realms have not been configured then NULL is returned for realms. + */ +errcode_t +k5_profile_get_realms(profile_t profile, char ***realms) +{ + + if (profile == NULL || realms == NULL) + return (EINVAL); + + *realms = NULL; + + return (k5_profile_iter_name_value(profile, "realms", NULL, realms, + B_FALSE)); +} + +/* + * errcode_t k5_profile_add_realm(profile_t profile, char *realm, + * char *master, char **kdcs, boolean_t set_change, boolean_t + * default_realm) + * + * where profile was the pointer passed back by k5_profile_init + * where realm is the realm name associated with the configuration + * where master is the server that is assigned to admin_server + * If master is set to NULL, admin_server entry will not be updated. + * where kdcs is a string array of KDCs used to populate the kdc set. + * The array is terminated with a NULL pointer. + * If kdcs is set to NULL, kdc entries will not be updated. + * where set_change, if set, will use the SET_CHANGE protocol for password + * modifications. RPCSEC_GSS is set by default + * where default_realm, if set, will assign the realm to default_realm + * Note: the ordering of kdcs is determined by the server's position in the + * array + */ +errcode_t +k5_profile_add_realm(profile_t profile, char *realm, char *master, char **kdcs, + boolean_t set_change, boolean_t default_realm) +{ + const char *hierarchy[4]; + errcode_t code; + boolean_t ow = B_TRUE; + char **tkdcs; + + if (profile == NULL || realm == NULL) + return (EINVAL); + + /* + * Sets the default realm to realm if default_realm flag is set. + */ + if (default_realm == B_TRUE) { + if (code = k5_profile_set_libdefaults(profile, realm)) + return (code); + } + + hierarchy[0] = "realms"; + hierarchy[1] = realm; + hierarchy[3] = NULL; + + if (master != NULL) { + hierarchy[2] = "admin_server"; + + /* + * Not fatal if this fails, therefore return code is not checked. + */ + (void) profile_clear_relation(profile, hierarchy); + + if (code = profile_add_relation(profile, hierarchy, master)) + return (code); + } + + /* + * If not set then defaults to undefined, which defaults to RPCSEC_GSS. + */ + if (set_change == B_TRUE) { + hierarchy[2] = "kpasswd_protocol"; + + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, "SET_CHANGE"); + if (code != 0) + return (code); + } + + if (kdcs != NULL) { + for (tkdcs = kdcs; *tkdcs; tkdcs++) { + if (code = k5_profile_set_kdc(profile, realm, *tkdcs, ow)) + return (code); + ow = B_FALSE; + } + } + + code = k5_profile_set_logging(profile); + if (code != 0) + return (code); + + code = k5_profile_set_appdefaults(profile); + + return (code); +} + +/* + * errcode_t k5_profile_remove_xrealm_mapping(profile_t profile, char *realm) + * + * where profile was the pointer passed back by k5_profile_init + * where source is the source realm for the capath + * where target is the target realm for the capath + * where inter is the intermediate realm between the source and target + * realms. If the source and target share x-realm keys then this set to "." + * Note: for the remove function, all associated source, target, and + * intermediate entries will be removed matching the realm name + */ +errcode_t +k5_profile_remove_xrealm_mapping(profile_t profile, char *realm) +{ + const char *hierarchy[4]; + errcode_t code, code2, code3; + void *state = NULL, *state2 = NULL; + char *source = NULL, *dummy_val = NULL, *target = NULL; + char *inter = NULL; + + if (profile == NULL || realm == NULL) + return (EINVAL); + + hierarchy[0] = "capaths"; + hierarchy[1] = realm; + hierarchy[2] = NULL; + hierarchy[3] = NULL; + + /* + * Not fatal if this fails, continue on. + */ + code = profile_rename_section(profile, hierarchy, NULL); + + hierarchy[1] = NULL; + code = profile_iterator_create(profile, hierarchy, + PROFILE_ITER_LIST_SECTION, &state); + while (code == 0) { + code = profile_iterator(&state, &source, &dummy_val); + if (code == 0 && source != NULL) { + hierarchy[1] = source; + code2 = profile_iterator_create(profile, hierarchy, + PROFILE_ITER_LIST_SECTION, &state2); + while (code2 == 0) { + code2 = profile_iterator(&state2, &target, + &inter); + if (code2 == 0 && target != NULL && + inter != NULL) { + if (strcmp(realm, target) == 0 || + strcmp(realm, inter) == 0) { + hierarchy[2] = target; + code3 = + profile_clear_relation( + profile, hierarchy); + if (code3 != 0) { + code = code3; + goto error; + } + } + } + if (target != NULL) { + profile_release_string(target); + target = NULL; + } + if (inter != NULL) { + profile_release_string(inter); + inter = NULL; + } + } + } + if (source != NULL) { + profile_release_string(source); + source = NULL; + } + if (dummy_val != NULL) { + profile_release_string(dummy_val); + dummy_val = NULL; + } + } + code = 0; + +error: + if (state != NULL) + profile_iterator_free(&state); + if (state2 != NULL) + profile_iterator_free(&state2); + if (target != NULL) + profile_release_string(target); + if (inter != NULL) + profile_release_string(inter); + if (source != NULL) + profile_release_string(source); + if (dummy_val != NULL) + profile_release_string(dummy_val); + + return (code); +} + +/* + * errcode_t k5_profile_remove_realm(profile_t profile, char *realm) + * + * where profile was the pointer passed back by k5_profile_init + * where realm is the target realm for removal + * Note: the function removes the matching realm in the realms section, + * the default_realm, relevant domain_realm mappings with the realm name, + * and matching capaths source realm subsection. + */ +errcode_t +k5_profile_remove_realm(profile_t profile, char *realm) +{ + const char *hierarchy[4]; + errcode_t code; + char *drealm = NULL; + + if (profile == NULL || realm == NULL) + return (EINVAL); + + /* + * Remove the default realm. + */ + hierarchy[0] = "libdefaults"; + hierarchy[1] = "default_realm"; + hierarchy[2] = NULL; + + /* + * We are not returning on missing configuration information given that + * we are performing a best effort on removing as much realm information + * as possible. Regardless of symmetry from adding. + */ + code = k5_profile_get_default_realm(profile, &drealm); + if (code == 0 && drealm != NULL) { + if (strcmp(drealm, realm) == 0) { + code = profile_clear_relation(profile, hierarchy); + if (code != 0) { + free(drealm); + return (code); + } + } + free(drealm); + } + + hierarchy[0] = "realms"; + hierarchy[1] = realm; + hierarchy[2] = NULL; + + (void) profile_rename_section(profile, hierarchy, NULL); + + (void) k5_profile_remove_domain_mapping(profile, realm); + + (void) k5_profile_remove_xrealm_mapping(profile, realm); + + /* + * Not fatal even if realm wasn't available to remove. + */ + return (0); +} + +/* + * errcode_t k5_profile_add_xrealm_mapping(profile_t profile, char *source, + * char *target, char *inter) + * + * where profile was the pointer passed back by k5_profile_init + * where source is the source realm for the capath + * where target is the target realm for the capath + * where inter is the intermediate realm between the source and target + * realms. If the source and target share x-realm keys then this set to "." + * Note: if the section does not exist one will be created + */ +errcode_t +k5_profile_add_xrealm_mapping(profile_t profile, char *source, char *target, + char *inter) +{ + const char *hierarchy[4]; + errcode_t code; + + if (profile == NULL || source == NULL || target == NULL || + inter == NULL) + return (EINVAL); + + hierarchy[0] = "capaths"; + hierarchy[1] = source; + hierarchy[2] = target; + hierarchy[3] = NULL; + + /* + * Not fatal if this fails, continue on. + */ + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, inter); + + return (code); +} + +/* + * errcode_t k5_profile_validate(profile_t profile, char *realm, int *val_err, + * char **val, boolean_t master_required, boolean_t kdc_required) + * + * where profile was the pointer passed back by k5_profile_init + * where realm is the realm name (case sensitive) to be inspected. + * where val_err is a function specific error code of the following values: + * K5_PROFILE_VAL_SUCCESS + * No errors detected in profile + * (val returns realm validated) + * K5_PROFILE_VAL_DEF_REALM_CASE + * default realm only differs in case from the realm specified + * (val returns default realm configured) + * K5_PROFILE_VAL_REALM_CASE + * realm in realms section differs in case from the realm specified + * (val returns realm configured) + * K5_PROFILE_VAL_NO_DEF_IN_REALM + * default realm is not found in realms section + * (val returns realm not found) + * K5_PROFILE_VAL_NO_DEF_REALM + * default realm does not exist + * (val returns realm specified) + * K5_PROFILE_VAL_NULL_REALM + * no realm found in realms section + * (val returns realm specified) + * K5_PROFILE_VAL_NO_DOM_REALM_MAP + * no domain realm mapping entry found from the realm specified + * (val returns realm specified) + * K5_PROFILE_VAL_KDC_NO_REALM + * kdc relation-value does not exist for specified realm + * (val returns realm specified) + * K5_PROFILE_VAL_ADMIN_NO_REALM + * admin_server relation-value does not exist for specified realm + * (val returns realm specified) + * K5_PROFILE_VAL_DOM_REALM_CASE + * the realm name argument differs in case from the realm name argument + * for a domain-realm mapping entry + * (val returns the domain/host name) + * K5_PROFILE_VAL_NO_REALM + * realm name specified is not found in realms section + * (val returns the realm specified) + * where val is the associated errant value, associated with val_err. This + * value is returned as is from the profile. + * where master_required is a boolean value to determine whether admin_server + * should be validated. + * where kdc_rqeuired is a boolean value to determine whether kdc entries should + * be validated. + * + * Note: function infers the following: + * 1. all required entries are present + * 2. all relations are defined between default realm, realm, and + * domain - realm mappings + * + * Note: The return value of this function is based on the error code returned + * by the framework/mechanism. The function could return zero with the + * validation error code set to non-zero if the profile is invalid in any way. + * + * Caution: This function could return false positives on valid + * configurations and should only be used by the CIFS team for + * specific purposes. + */ +errcode_t +k5_profile_validate(profile_t profile, char *realm, int *val_err, char **val, + boolean_t master_required, boolean_t kdc_required) +{ + errcode_t code; + boolean_t found = B_FALSE, found_realm = B_FALSE; + char *default_realm = NULL, **realms = NULL; + char **trealms = NULL, **domains = NULL, **ret_vals = NULL; + + if (profile == NULL || realm == NULL || val_err == NULL || val == NULL) + return (EINVAL); + + *val_err = K5_PROFILE_VAL_SUCCESS; + *val = NULL; + + code = k5_profile_get_realms(profile, &realms); + if (code == 0 && realms != NULL) { + for (trealms = realms; *trealms; trealms++) { + if (strcmp(realm, *trealms) != 0) { + if (strcasecmp(realm, *trealms) == 0) { + *val_err = K5_PROFILE_VAL_REALM_CASE; + *val = strdup(*trealms); + if (*val == NULL) + code = ENOMEM; + goto cleanup; + } else + continue; + } + found_realm = B_TRUE; + break; + } + } else if (code == 0 && realms == NULL) { + *val_err = K5_PROFILE_VAL_NULL_REALM; + if ((*val = strdup(realm)) == NULL) + code = ENOMEM; + goto cleanup; + } else + goto cleanup; + + if (found_realm == B_FALSE) { + *val_err = K5_PROFILE_VAL_NO_REALM; + if ((*val = strdup(realm)) == NULL) + code = ENOMEM; + goto cleanup; + } + + /* + * Perform case insensitive lookup first, followed by case + * sensitive search. This allows detection of lower case names + * before an exact match, which would not match if the name was + * in lower case. + */ + code = k5_profile_get_domain_realm(profile, *trealms, + &domains, B_TRUE); + if (code == 0 && domains != NULL) { + *val_err = K5_PROFILE_VAL_DOM_REALM_CASE; + if ((*val = strdup(*domains)) == NULL) + code = ENOMEM; + goto cleanup; + } else if (code == 0 && domains == NULL) { + code = k5_profile_get_domain_realm(profile, + *trealms, &domains, B_FALSE); + if (code == 0 && domains != NULL) { + profile_free_list(domains); + domains = NULL; + } else if (code == 0 && domains == NULL) { + *val_err = K5_PROFILE_VAL_NO_DOM_REALM_MAP; + if ((*val = strdup(realm)) == NULL) + code = ENOMEM; + goto cleanup; + } else + goto cleanup; + } else + goto cleanup; + + if (kdc_required == B_TRUE) { + code = k5_profile_get_realm_entry(profile, *trealms, + "kdc", &ret_vals); + if (code == 0 && ret_vals != NULL) { + profile_free_list(ret_vals); + ret_vals = NULL; + } else if (code == 0 && ret_vals == NULL) { + *val_err = K5_PROFILE_VAL_KDC_NO_REALM; + if ((*val = strdup(realm)) == NULL) + code = ENOMEM; + goto cleanup; + } else + goto cleanup; + } + + if (master_required == B_TRUE) { + code = k5_profile_get_realm_entry(profile, *trealms, + "admin_server", &ret_vals); + if (code == 0 && ret_vals != NULL) { + profile_free_list(ret_vals); + ret_vals = NULL; + } else if (code == 0 && ret_vals == NULL) { + *val_err = K5_PROFILE_VAL_ADMIN_NO_REALM; + if ((*val = strdup(realm)) == NULL) + code = ENOMEM; + goto cleanup; + } else + goto cleanup; + } + + code = k5_profile_get_default_realm(profile, &default_realm); + if (code == 0 && default_realm != NULL) { + if (strcasecmp(default_realm, realm) == 0) { + if (strcmp(default_realm, realm) != 0) { + *val_err = K5_PROFILE_VAL_DEF_REALM_CASE; + if ((*val = strdup(default_realm)) == NULL) + code = ENOMEM; + goto cleanup; + } + } + } else if (code == 0 && default_realm == NULL) { + *val_err = K5_PROFILE_VAL_NO_DEF_REALM; + if ((*val = strdup(realm)) == NULL) + code = ENOMEM; + goto cleanup; + } else + goto cleanup; + + for (trealms = realms; *trealms; trealms++) { + if (strcmp(default_realm, *trealms) == 0) { + found = B_TRUE; + break; + } + } + + if (found == B_FALSE) { + *val_err = K5_PROFILE_VAL_NO_DEF_IN_REALM; + if ((*val = strdup(default_realm)) == NULL) + code = ENOMEM; + goto cleanup; + } + + if ((*val = strdup(realm)) == NULL) + code = ENOMEM; + +cleanup: + + if (realms != NULL) + profile_free_list(realms); + if (ret_vals != NULL) + profile_free_list(ret_vals); + if (default_realm != NULL) + profile_release_string(default_realm); + if (domains != NULL) + profile_free_list(domains); + + return (code); +} + +/* + * errcode_t k5_profile_init(char *filename, profile_t *profile) + * + * where filename is the specified profile location. If filename is NULL + * then function uses the system default name, /etc/krb5/krb5.conf + * where profile is pointer passed to caller upon success + * Note: if the file does not exist then one will be created + * Note: the function assumes that the profile file resides in a directory only + * writable by root as the O_NOLINKS mode for open() was removed to avoid a + * EMLINK ("Too many inks") issue with one of its consumers + * Note: if the file does exist then any existing profile information will + * be in profile + * Note: profile_release() should be used by the caller to free profile + */ +errcode_t +k5_profile_init(char *filename, profile_t *profile) +{ + profile_filespec_t *filenames = NULL; + krb5_error_code ret = 0; + errcode_t code = 0; + int err = 0, fd; + mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; + + if (profile == NULL) + return (EINVAL); + + if (filename != NULL) { + filenames = malloc(2 * sizeof (char *)); + if (filenames == NULL) + return (ENOMEM); + filenames[0] = strdup(filename); + if (filenames[0] == NULL) { + free(filenames); + return (ENOMEM); + } + filenames[1] = NULL; + } else { + ret = krb5_get_default_config_files(&filenames); + if (ret != 0) + return (ret); + } + + /* + * If file does not exist then create said file. + */ + fd = open(*filenames, O_RDWR|O_CREAT|O_NOFOLLOW, mode); + if (fd < 0) { + err = errno; + krb5_free_config_files(filenames); + return (err); + } else + close(fd); + + /* + * Specify non-null for specific file (to load any existing profile) + */ + code = profile_init((const_profile_filespec_t *)filenames, profile); + + krb5_free_config_files(filenames); + + return (code); +} + +/* + * k5_profile_validate_get_error_msg(profile_t profile, int err, char *val, + * char **err_msg) + * + * intput arguments: + * where profile was pointer passed back by k5_profile_init + * where err is the val_err returned by the k5_profile_validate function + * where val is the val returned by the k5_profile_validate function + * + * output arguments: + * where err_msg is the returned error message string + * + * Note: Upon success an error string will be passed back by the caller in + * err_msg else an error code is returned and err_msg is not allocated. + */ +errcode_t +k5_profile_validate_get_error_msg(profile_t profile, int err, char *val, + char **err_msg) +{ + char *m; + const_profile_filespec_t f; + errcode_t code = 0; + + if (profile == NULL || val == NULL || err_msg == NULL) + return (EINVAL); + + *err_msg = NULL; + f = profile->first_file->data->filespec; + + switch (err) { + case K5_PROFILE_VAL_SUCCESS: + m = _("No error"); + break; + case K5_PROFILE_VAL_DEF_REALM_CASE: + m = _("default_realm should be in upper-case"); + break; + case K5_PROFILE_VAL_REALM_CASE: + m = _("realm in [realms] section should be in upper-case"); + break; + case K5_PROFILE_VAL_NO_DEF_IN_REALM: + m = _("default_realm is not found in [realms] section"); + break; + case K5_PROFILE_VAL_NO_DEF_REALM: + m = _("default_realm doesn't exist in the [libdefaults] section"); + break; + case K5_PROFILE_VAL_NULL_REALM: + m = _("no realms found in the [realms] section"); + break; + case K5_PROFILE_VAL_NO_DOM_REALM_MAP: + m = _("missing mapping entry in the [domain_realm] " + "section for the specified realm"); + break; + case K5_PROFILE_VAL_KDC_NO_REALM: + m = _("no kdc entries found for the specified realm"); + break; + case K5_PROFILE_VAL_ADMIN_NO_REALM: + m = _("no admin_server entry found for the specified realm"); + break; + case K5_PROFILE_VAL_DOM_REALM_CASE: + m = _("mapping entry in [domain_realm] section for " + "the specified realm should be in upper-case"); + break; + case K5_PROFILE_VAL_NO_REALM: + m = _("specified realm not found in [realms] section"); + break; + default: + m = _("unknown error"); + break; + } + + if (asprintf(err_msg, "%s: %s: %s", f, m, val) == -1) + code = ENOMEM; + + return (code); +} + +/* + * errcode_t k5_profile_get_libdefaults_entry(profile_t profile, char *name, + * char ***ret_value) + * + * where profile was the pointer passed back by k5_profile_init + * where name is the name of the requested relation + * where ret_value is the value assigned to name + * Note: if name has not been configured, ret_value is set to NULL and + * the function returns 0. + */ +errcode_t +k5_profile_get_libdefaults_entry(profile_t profile, char *name, + char **ret_value) +{ + const char *hierarchy[3]; + errcode_t code; + + if (profile == NULL || name == NULL || ret_value == NULL) + return (EINVAL); + + *ret_value = NULL; + + hierarchy[0] = "libdefaults"; + hierarchy[1] = name; + hierarchy[2] = NULL; + + code = profile_get_value(profile, hierarchy, (char **)ret_value); + + if (code == PROF_NO_RELATION) + code = 0; + + return (code); +} + +/* + * errcode_t k5_profile_add_libdefaults_entry(profile_t profile char *name, + * char **value) + * + * where profile was the pointer passed back by k5_profile_init + * where name is the name of the relation to be set + * where value is the value to be assigned to name. + * Note: if the name already exists, the value is overwritten with the value + * passed + */ +errcode_t +k5_profile_add_libdefaults_entry(profile_t profile, char *name, char *value) +{ + const char *hierarchy[3]; + errcode_t code; + + if (profile == NULL || name == NULL || value == NULL) + return (EINVAL); + + hierarchy[0] = "libdefaults"; + hierarchy[1] = name; + hierarchy[2] = NULL; + + /* + * Not fatal if this fails, continue on. + */ + (void) profile_clear_relation(profile, hierarchy); + + code = profile_add_relation(profile, hierarchy, value); + return (code); +} + +/* + * Solaris Kerberos + * profile_get_options_boolean() and profile_get_options_string() are Solaris + * specific. + */ + +errcode_t +profile_get_options_boolean(profile, section, options) +profile_t profile; +char ** section; +profile_options_boolean *options; +{ + char ** actual_section; + char *value = NULL; + errcode_t retval = 0; + int i, max_i; + + for (max_i = 0; section[max_i]; max_i++); + if (actual_section = (char **)malloc((max_i + 2) * sizeof (char *))) { + for (actual_section[max_i + 1] = NULL, i = 0; section[i]; i++) + actual_section[i] = section[i]; + + for (i = 0; options[i].name; i++) { + if (options[i].found) continue; + actual_section[max_i] = options[i].name; + retval = profile_get_value(profile, (const char **) actual_section, + (char **)&value); + if (retval && (retval != PROF_NO_RELATION) && + (retval != PROF_NO_SECTION)) { + free(actual_section); + return (retval); + } + if ((retval == 0) && value) { + /* + * Any string other than true will turn off the + * option + */ + if (strncmp(value, "true", 4) == 0) + *(options[i].value) = 1; + else + *(options[i].value) = 0; + options[i].found = 1; + + } + } + free(actual_section); + } else { + retval = ENOMEM; + } + return (retval); +} + +errcode_t +profile_get_options_string(profile, section, options) +profile_t profile; +char ** section; +profile_option_strings *options; +{ + char ** actual_section; + char *value = NULL; + errcode_t retval = 0; + int i, max_i; + + for (max_i = 0; section[max_i]; max_i++); + if (actual_section = (char **)malloc((max_i + 2) * sizeof (char *))) { + for (actual_section[max_i + 1] = NULL, i = 0; section[i]; i++) + actual_section[i] = section[i]; + + for (i = 0; options[i].name; i++) { + if (options[i].found) continue; + actual_section[max_i] = options[i].name; + retval = profile_get_value(profile, (const char **) actual_section, + (char **)&value); + if (retval && (retval != PROF_NO_RELATION) && + (retval != PROF_NO_SECTION)) { + free(actual_section); + return (retval); + } + if ((retval == 0) && value) { + *options[i].value = malloc(strlen(value)+1); + if (*options[i].value == 0) + retval = ENOMEM; + strcpy(*options[i].value, value); + options[i].found = 1; + } else + *options[i].value = 0; + } + free(actual_section); + } else { + retval = ENOMEM; + } + return (retval); +} diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/prof_solaris.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/prof_solaris.h Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,75 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* + * Solaris Kerberos + * This is a private header file, therefore the interfaces that this file + * declares are subject to change without prior notice. + */ + +#ifndef _PROF_SOLARIS_H +#define _PROF_SOLARIS_H + +#include +#include + +#define K5_PROFILE_VAL_SUCCESS 0 +#define K5_PROFILE_VAL_DEF_REALM_CASE 1 +#define K5_PROFILE_VAL_REALM_CASE 2 +#define K5_PROFILE_VAL_NO_DEF_IN_REALM 3 +#define K5_PROFILE_VAL_NO_DEF_REALM 4 +#define K5_PROFILE_VAL_NULL_REALM 5 +#define K5_PROFILE_VAL_NO_DOM_REALM_MAP 6 +#define K5_PROFILE_VAL_KDC_NO_REALM 7 +#define K5_PROFILE_VAL_ADMIN_NO_REALM 8 +#define K5_PROFILE_VAL_DOM_REALM_CASE 9 +#define K5_PROFILE_VAL_NO_REALM 10 + +typedef struct _profile_options { + char *name; + int *value; + int found; +} profile_options_boolean; + +typedef struct _profile_times { + char *name; + char **value; + int found; +} profile_option_strings; + +errcode_t +profile_get_options_boolean(profile_t, char **, profile_options_boolean *); + +errcode_t +profile_get_options_string(profile_t, char **, profile_option_strings *); + +long k5_profile_init(char *filename, profile_t *profile); +long k5_profile_release(profile_t profile); +void k5_profile_abandon(profile_t profile); +long k5_profile_add_domain_mapping(profile_t profile, char *domain, + char *realm); +long k5_profile_remove_domain_mapping(profile_t profile, char *realm); +long k5_profile_get_realm_entry(profile_t profile, char *realm, char *name, + char ***ret_value); +long k5_profile_add_realm_entry(profile_t profile, char *realm, char *name, + char **values); +long k5_profile_get_libdefaults_entry(profile_t profile, char *name, + char **ret_value); +long k5_profile_add_libdefaults_entry(profile_t profile, char *name, + char *value); +long k5_profile_get_default_realm(profile_t profile, char **realm); +long k5_profile_get_realms(profile_t profile, char ***realms); +long k5_profile_add_realm(profile_t profile, char *realm, char *master, + char **kdcs, boolean_t set_change, boolean_t default_realm); +long k5_profile_remove_xrealm_mapping(profile_t profile, char *realm); +long k5_profile_remove_realm(profile_t profile, char *realm); +long k5_profile_add_xrealm_mapping(profile_t profile, char *source, + char *target, char *inter); +long k5_profile_validate(profile_t profile, char *realm, int *val_err, + char **val, boolean_t master_required, boolean_t kdc_required); +long k5_profile_validate_get_error_msg(profile_t profile, int err, char *val, + char **err_msg); +long k5_profile_set_libdefaults(profile_t profile, char *realm); + +#endif /* _PROF_SOLARIS_H */ diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/rc_mem.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/rc_mem.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,345 @@ +/* + * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* + * mech_krb5/krb5/rcache/rc_mem.c + * + * This file of the Kerberos V5 software is derived from public-domain code + * contributed by Daniel J. Bernstein, . + */ + +/* + * An implementation for the memory only (mem) replay cache type. + * This file was derived from rc_dfl.c with NOIOSTUFF defined. + */ +#include "rc_mem.h" + +#ifndef HASHSIZE +#define HASHSIZE 997 /* a convenient prime */ +#endif + +#define CMP_MALLOC -3 +#define CMP_EXPIRED -2 +#define CMP_REPLAY -1 +#define CMP_HOHUM 0 + +struct authlist +{ + krb5_donot_replay rep; + struct authlist *na; + struct authlist *nh; +}; + +/* + * We want the replay cache to hang around for the entire life span of the + * process, regardless if the auth_context or acceptor_cred handles are + * destroyed. + */ +struct global_rcache grcache = {K5_MUTEX_PARTIAL_INITIALIZER, NULL}; + +static unsigned int +hash(krb5_donot_replay *rep, unsigned int hsize) +{ + unsigned int h = rep->cusec + rep->ctime; + h += *rep->server; + h += *rep->client; + return h % hsize; +} + +/*ARGSUSED*/ +static int +cmp(krb5_donot_replay *old, krb5_donot_replay *new1, krb5_deltat t) +{ + if ((old->cusec == new1->cusec) && /* most likely to distinguish */ + (old->ctime == new1->ctime) && + (strcmp(old->client, new1->client) == 0) && + (strcmp(old->server, new1->server) == 0)) { /* always true */ + /* If both records include message hashes, compare them as well. */ + if (old->msghash == NULL || new1->msghash == NULL || + strcmp(old->msghash, new1->msghash) == 0) + return CMP_REPLAY; + } + return CMP_HOHUM; +} + +static int +alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t) +{ + if (mytime == 0) + return CMP_HOHUM; /* who cares? */ + /* I hope we don't have to worry about overflow */ + if (new1->ctime + t < mytime) + return CMP_EXPIRED; + return CMP_HOHUM; +} +/* + * of course, list is backwards + * hash could be forwards since we have to search on match, but naaaah + */ +static int +rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep) +{ + struct mem_data *t = (struct mem_data *)id->data; + int rephash; + struct authlist *ta, *pta = NULL, *head; + krb5_int32 time; + + rephash = hash(rep, t->hsize); + + /* Calling krb_timeofday() here, once for better perf. */ + krb5_timeofday(context, &time); + + /* + * Calling alive() on rep since it doesn't make sense to store + * an expired replay. + */ + if (alive(time, rep, t->lifespan) == CMP_EXPIRED) + return (CMP_EXPIRED); + + for (ta = t->h[rephash]; ta; ta = ta->nh) { + switch (cmp(&ta->rep, rep, t->lifespan)) { + case CMP_REPLAY: + return (CMP_REPLAY); + case CMP_HOHUM: + if (alive(time, &ta->rep, t->lifespan) + == CMP_EXPIRED) { + free(ta->rep.client); + free(ta->rep.server); + free(ta->rep.msghash); + if (pta) { + pta->nh = ta->nh; + free(ta); + ta = pta; + } else { + head = t->h[rephash]; + t->h[rephash] = ta->nh; + free(head); + } + continue; + } + } + pta = ta; + } + + if (!(ta = (struct authlist *)malloc(sizeof (struct authlist)))) + return (CMP_MALLOC); + ta->rep = *rep; + ta->rep.client = ta->rep.server = ta->rep.msghash = NULL; + if (!(ta->rep.client = strdup(rep->client))) + goto error; + if (!(ta->rep.server = strdup(rep->server))) + goto error; + if (!(ta->rep.msghash = strdup(rep->msghash))) + goto error; + ta->nh = t->h[rephash]; + t->h[rephash] = ta; + return (CMP_HOHUM); +error: + if (ta->rep.client) + free(ta->rep.client); + if (ta->rep.server) + free(ta->rep.server); + if (ta->rep.msghash) + free(ta->rep.msghash); + free(ta); + return (CMP_MALLOC); +} + +/*ARGSUSED*/ +char *KRB5_CALLCONV +krb5_rc_mem_get_name(krb5_context context, krb5_rcache id) +{ + return (((struct mem_data *)(id->data))->name); +} + +/*ARGSUSED*/ +krb5_error_code KRB5_CALLCONV +krb5_rc_mem_get_span(krb5_context context, krb5_rcache id, + krb5_deltat *lifespan) +{ + struct mem_data *t; + + k5_mutex_lock(&id->lock); + k5_mutex_lock(&grcache.lock); + + t = (struct mem_data *)id->data; + *lifespan = t->lifespan; + + k5_mutex_unlock(&grcache.lock); + k5_mutex_unlock(&id->lock); + + return (0); +} + +krb5_error_code KRB5_CALLCONV +krb5_rc_mem_init_locked(krb5_context context, krb5_rcache id, + krb5_deltat lifespan) +{ + struct mem_data *t = (struct mem_data *)id->data; + + t->lifespan = lifespan ? lifespan : context->clockskew; + /* default to clockskew from the context */ + return (0); +} + +krb5_error_code KRB5_CALLCONV +krb5_rc_mem_init(krb5_context context, krb5_rcache id, krb5_deltat lifespan) +{ + krb5_error_code retval; + + k5_mutex_lock(&id->lock); + k5_mutex_lock(&grcache.lock); + + retval = krb5_rc_mem_init_locked(context, id, lifespan); + + k5_mutex_unlock(&grcache.lock); + k5_mutex_unlock(&id->lock); + + return (retval); +} + +/* + * We want the replay cache to be persistent since we can't + * read from a file to retrieve the rcache, so we must not free + * here. Just return success. + */ +krb5_error_code KRB5_CALLCONV +krb5_rc_mem_close(krb5_context context, krb5_rcache id) +{ + return (0); +} + +krb5_error_code KRB5_CALLCONV +krb5_rc_mem_destroy(krb5_context context, krb5_rcache id) +{ + return (krb5_rc_mem_close(context, id)); +} + +/*ARGSUSED*/ +krb5_error_code KRB5_CALLCONV +krb5_rc_mem_resolve(krb5_context context, krb5_rcache id, char *name) +{ + struct mem_data *t = 0; + krb5_error_code retval; + + k5_mutex_lock(&grcache.lock); + + /* + * If the global rcache has already been initialized through a prior + * call to this function then just set the rcache to point to it for + * any subsequent operations. + */ + if (grcache.data != NULL) { + id->data = (krb5_pointer)grcache.data; + k5_mutex_unlock(&grcache.lock); + return (0); + } + /* allocate id? no */ + if (!(t = (struct mem_data *)malloc(sizeof (struct mem_data)))) { + k5_mutex_unlock(&grcache.lock); + return (KRB5_RC_MALLOC); + } + grcache.data = id->data = (krb5_pointer)t; + memset(t, 0, sizeof (struct mem_data)); + if (name) { + t->name = malloc(strlen(name)+1); + if (!t->name) { + retval = KRB5_RC_MALLOC; + goto cleanup; + } + strcpy(t->name, name); + } else + t->name = 0; + t->hsize = HASHSIZE; /* no need to store---it's memory-only */ + t->h = (struct authlist **)malloc(t->hsize*sizeof (struct authlist *)); + if (!t->h) { + retval = KRB5_RC_MALLOC; + goto cleanup; + } + memset(t->h, 0, t->hsize*sizeof (struct authlist *)); + k5_mutex_unlock(&grcache.lock); + return (0); + +cleanup: + if (t) { + if (t->name) + free(t->name); + if (t->h) + free(t->h); + free(t); + grcache.data = NULL; + id->data = NULL; + } + k5_mutex_unlock(&grcache.lock); + + return (retval); +} + +/* + * Recovery (retrieval) of the replay cache occurred during + * krb5_rc_resolve(). So we just return error here. + */ +krb5_error_code KRB5_CALLCONV +krb5_rc_mem_recover(krb5_context context, krb5_rcache id) +{ + return (KRB5_RC_NOIO); +} + +krb5_error_code KRB5_CALLCONV +krb5_rc_mem_recover_or_init(krb5_context context, krb5_rcache id, + krb5_deltat lifespan) +{ + krb5_error_code retval; + + retval = krb5_rc_mem_recover(context, id); + if (retval) + retval = krb5_rc_mem_init(context, id, lifespan); + + return (retval); +} + +krb5_error_code KRB5_CALLCONV +krb5_rc_mem_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep) +{ + k5_mutex_lock(&id->lock); + k5_mutex_lock(&grcache.lock); + + switch (rc_store(context, id, rep)) { + case CMP_MALLOC: + k5_mutex_unlock(&grcache.lock); + k5_mutex_unlock(&id->lock); + return (KRB5_RC_MALLOC); + case CMP_REPLAY: + k5_mutex_unlock(&grcache.lock); + k5_mutex_unlock(&id->lock); + return (KRB5KRB_AP_ERR_REPEAT); + case CMP_EXPIRED: + k5_mutex_unlock(&grcache.lock); + k5_mutex_unlock(&id->lock); + return (KRB5KRB_AP_ERR_SKEW); + case CMP_HOHUM: + break; + } + + k5_mutex_unlock(&grcache.lock); + k5_mutex_unlock(&id->lock); + + return (0); +} + +const krb5_rc_ops krb5_rc_mem_ops = { + 0, + "MEMORY", + krb5_rc_mem_init, + krb5_rc_mem_recover, + krb5_rc_mem_recover_or_init, + krb5_rc_mem_destroy, + krb5_rc_mem_close, + krb5_rc_mem_store, + /* expunging not used in memory rcache type */ + NULL, + krb5_rc_mem_get_span, + krb5_rc_mem_get_name, + krb5_rc_mem_resolve +}; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/rc_mem.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/rc_mem.h Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,65 @@ +/* + * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +#ifndef _KRB5_RC_MEM_H +#define _KRB5_RC_MEM_H + +#include "k5-int.h" +#include "rc-int.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * mech_krb5/krb5/rcache/rc_mem.h + * + * This file of the Kerberos V5 software is derived from public-domain code + * contributed by Daniel J. Bernstein, . + */ + +struct mem_data { + char *name; + krb5_deltat lifespan; + int hsize; + struct authlist **h; +}; + +struct global_rcache { + k5_mutex_t lock; + struct mem_data *data; +}; + +extern struct global_rcache grcache; + +extern const krb5_rc_ops krb5_rc_mem_ops; + +krb5_error_code KRB5_CALLCONV krb5_rc_mem_init + (krb5_context, krb5_rcache, krb5_deltat); +krb5_error_code KRB5_CALLCONV krb5_rc_mem_recover + (krb5_context, krb5_rcache); +krb5_error_code KRB5_CALLCONV krb5_rc_mem_recover_or_init + (krb5_context, krb5_rcache, krb5_deltat); +krb5_error_code KRB5_CALLCONV krb5_rc_mem_destroy + (krb5_context, krb5_rcache); +krb5_error_code KRB5_CALLCONV krb5_rc_mem_close + (krb5_context, krb5_rcache); +krb5_error_code KRB5_CALLCONV krb5_rc_mem_store + (krb5_context, krb5_rcache, krb5_donot_replay *); +krb5_error_code KRB5_CALLCONV krb5_rc_mem_expunge + (krb5_context, krb5_rcache); +krb5_error_code KRB5_CALLCONV krb5_rc_mem_get_span + (krb5_context, krb5_rcache, krb5_deltat *); +char *KRB5_CALLCONV krb5_rc_mem_get_name + (krb5_context, krb5_rcache); +krb5_error_code KRB5_CALLCONV krb5_rc_mem_resolve + (krb5_context, krb5_rcache, char *); +void krb5_rc_free_entry + (krb5_context, krb5_donot_replay **); + +#ifdef __cplusplus +} +#endif + +#endif /* !_KRB5_RC_MEM_H */ diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/safechown.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/safechown.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,112 @@ +/* + * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* Solaris Kerberos: this file is unique to Solaris. */ + +#include +#include +#include +#include +#include +#include +#include + +/* + * safechown changes the owner ship of src to uid. If the mode parameter + * does not equal -1 changes the mode of src as well. + * + * return -1 on failure and 0 on success. + */ + +int +safechown(const char *src, uid_t uid, gid_t gid, int mode) +{ +int fd; +struct stat fdbuf; +struct stat lbuf; + + if ((fd = open(src, O_RDONLY, 0)) == -1) + return (-1); + + if (fstat(fd, &fdbuf)) { + close(fd); + return (-1); + } + + /* Make sure non directories are not hard links */ + if (!S_ISDIR(fdbuf.st_mode) && fdbuf.st_nlink != 1) { + close(fd); + return (-1); + } + + if (lstat(src, &lbuf)) { + close(fd); + return (-1); + } + + /* Make sure file is not a symlink */ + if (fdbuf.st_ino != lbuf.st_ino || fdbuf.st_dev != lbuf.st_dev || + fdbuf.st_mode != lbuf.st_mode) { + + close(fd); + return (-1); + } + + /* we should probably get the primary group id for uid here */ + if (fchown(fd, uid, gid)) { + close(fd); + return (-1); + } + + if (mode != -1) { + if (fchmod(fd, (mode_t)mode)) { + close(fd); + return (-1); + } + } + + close(fd); + + return (0); +} + +#ifdef TEST +void +usage(char *prg) +{ + fprintf(stderr, "Usage %s [-u uid] [-m mode] source\n", prg); + exit(1); +} + +main(int argc, char *argv[]) +{ + int opt; + int mode = -1; + uid_t uid = 0; + + while ((opt = getopt(argc, argv, "m:u:")) != EOF) { + switch (opt) { + case 'm': + mode = strtol(optarg, 0, 8); + break; + case 'u': + uid = atoi(optarg); + break; + default: + usage(argv[0]); + } + } + + if (argc - optind != 1) + usage(argv[0]); + + if (safechown(argv[optind], uid, getgid(), mode)) { + perror("safechown"); + exit(1); + } + + return (0); +} + +#endif /* TEST */ diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/Solaris/util_ordering.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/Solaris/util_ordering.c Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,311 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* + * Copyright 1993 by OpenVision Technologies, Inc. + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without fee, + * provided that the above copyright notice appears in all copies and + * that both that copyright notice and this permission notice appear in + * supporting documentation, and that the name of OpenVision not be used + * in advertising or publicity pertaining to distribution of the software + * without specific, written prior permission. OpenVision makes no + * representations about the suitability of this software for any + * purpose. It is provided "as is" without express or implied warranty. + * + * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO + * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR + * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF + * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR + * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved. + */ + +/* + * $Id: util_ordering.c 23457 2009-12-08 00:04:48Z tlyu $ + */ + +/* + * functions to check sequence numbers for replay and sequencing + */ + +#include "gssapiP_generic.h" +#include + +#define QUEUE_LENGTH 20 + +typedef struct _queue { + int do_replay; + int do_sequence; + int start; + int length; + uint64_t firstnum; + /* Stored as deltas from firstnum. This way, the high bit won't + overflow unless we've actually gone through 2**n messages, or + gotten something *way* out of sequence. */ + uint64_t elem[QUEUE_LENGTH]; + /* All ones for 64-bit sequence numbers; 32 ones for 32-bit + sequence numbers. */ + uint64_t mask; +} queue; + +/* rep invariant: + * - the queue is a circular queue. The first element (q->elem[q->start]) + * is the oldest. The last element is the newest. + */ + +#define QSIZE(q) (sizeof((q)->elem)/sizeof((q)->elem[0])) +#define QELEM(q,i) ((q)->elem[(i)%QSIZE(q)]) + +/* + * Solaris Kerberos: begin + * mask(max) is 2 ** 64 - 1, and half is 2 ** 63. + * |-------------------------------|-----------------------------| + * 0 half mask + * |-------------------------------| + * half range ( 2 ** 63 ) + * + * Here, the distance between n1 and n2 is used, if it falls + * in the "half range", normal integer comparison is enough. + * + * If the distance is bigger than half of the range, one of them must + * have passed the 'mask' point while the other one didn't. In this + * case, the result should be the reverse of normal comparison, i.e. + * the smaller one is considered bigger. + * + * If we shift the smaller value by adding 'mask' to it, + * the distance will be in half range again. + * + * The assumption is that the out of order event will not + * happen too often. If the distance is really bigger than half range, + * (1 is expected, but half + 2 arrives) we really don't know if it's a + * GAP token or an OLD token that wrapped. + */ +static int +after(uint64_t n1, uint64_t n2, uint64_t mask) +{ + int bigger; + uint64_t diff; + uint64_t half; + + /* + * rule 1: same number. + * This may be ambiguous, but the caller of this function, + * g_order_check already takes care of it. + */ + if (n1 == n2) + return (0); + + half = 1 + (mask >> 1); + + if (n1 > n2) { + diff = n1 - n2; + bigger = 1; + } else { + diff = n2 - n1; + bigger = 0; + } + + /* rule 2: in the same half range, normal comparison is enough */ + if (diff < half) + return bigger; + + n1 &= half; + + /* rule 3: different half, and n1 is on upper, n2 is bigger */ + /* rule 4: different half, and n1 is on lower, n1 is bigger */ + if (n1 != 0) + return (0); + + return (1); +} +/* Solaris Kerberos: end */ + +static void +queue_insert(queue *q, int after, uint64_t seqnum) +{ + /* insert. this is not the fastest way, but it's easy, and it's + optimized for insert at end, which is the common case */ + int i; + + /* common case: at end, after == q->start+q->length-1 */ + + /* move all the elements (after,last] up one slot */ + + for (i=q->start+q->length-1; i>after; i--) + QELEM(q,i+1) = QELEM(q,i); + + /* fill in slot after+1 */ + + QELEM(q,after+1) = seqnum; + + /* Either increase the length by one, or move the starting point up + one (deleting the first element, which got bashed above), as + appropriate. */ + + if (q->length == QSIZE(q)) { + q->start++; + if (q->start == QSIZE(q)) + q->start = 0; + } else { + q->length++; + } +} + +gss_int32 +g_order_init(void **vqueue, uint64_t seqnum, + int do_replay, int do_sequence, int wide_nums) +{ + queue *q; + + if ((q = (queue *) malloc(sizeof(queue))) == NULL) + return(ENOMEM); + + /* This stops valgrind from complaining about writing uninitialized + data if the caller exports the context and writes it to a file. + We don't actually use those bytes at all, but valgrind still + complains. */ + (void) memset(q, 0xfe, sizeof(*q)); + + q->do_replay = do_replay; + q->do_sequence = do_sequence; + q->mask = wide_nums ? ~(uint64_t)0 : 0xffffffffUL; + + q->start = 0; + q->length = 1; + q->firstnum = seqnum; + q->elem[q->start] = ((uint64_t)0 - 1) & q->mask; + + *vqueue = (void *) q; + return(0); +} + +gss_int32 +g_order_check(void **vqueue, uint64_t seqnum) +{ + queue *q; + int i; + uint64_t expected; + + q = (queue *) (*vqueue); + + if (!q->do_replay && !q->do_sequence) + return(GSS_S_COMPLETE); + + /* All checks are done relative to the initial sequence number, to + avoid (or at least put off) the pain of wrapping. */ + seqnum -= q->firstnum; + /* If we're only doing 32-bit values, adjust for that again. + + Note that this will probably be the wrong thing to if we get + 2**32 messages sent with 32-bit sequence numbers. */ + seqnum &= q->mask; + + /* rule 1: expected sequence number */ + + expected = (QELEM(q,q->start+q->length-1)+1) & q->mask; + if (seqnum == expected) { + queue_insert(q, q->start+q->length-1, seqnum); + return(GSS_S_COMPLETE); + } + + /* rule 2: > expected sequence number */ + + /* Solaris Kerberos: using after */ + if (after(seqnum, expected, q->mask)) { + queue_insert(q, q->start+q->length-1, seqnum); + if (q->do_replay && !q->do_sequence) + return(GSS_S_COMPLETE); + else + return(GSS_S_GAP_TOKEN); + } + + /* rule 3: seqnum < seqnum(first) */ + + /* Solaris Kerberos */ + if (after(QELEM(q,q->start), seqnum, q->mask)) { + if (q->do_replay && !q->do_sequence) + return(GSS_S_OLD_TOKEN); + else + return(GSS_S_UNSEQ_TOKEN); + } + + /* rule 4+5: seqnum in [seqnum(first),seqnum(last)] */ + + else { + if (seqnum == QELEM(q,q->start+q->length-1)) + return(GSS_S_DUPLICATE_TOKEN); + + for (i=q->start; istart+q->length-1; i++) { + if (seqnum == QELEM(q,i)) + return(GSS_S_DUPLICATE_TOKEN); + /* Solaris Kerberos */ + if (after(seqnum, QELEM(q,i), q->mask) && + after(QELEM(q,i+1), seqnum, q->mask)) { + queue_insert(q, i, seqnum); + if (q->do_replay && !q->do_sequence) + return(GSS_S_COMPLETE); + else + return(GSS_S_UNSEQ_TOKEN); + } + } + } + + /* this should never happen */ + return(GSS_S_FAILURE); +} + +void +g_order_free(void **vqueue) +{ + queue *q; + + q = (queue *) (*vqueue); + + free(q); + + *vqueue = NULL; +} + +/* + * These support functions are for the serialization routines + */ +/* ARGSUSED */ +gss_uint32 +g_queue_size(void *vqueue, size_t *sizep) +{ + *sizep += sizeof(queue); + return 0; +} + +gss_uint32 +g_queue_externalize(void *vqueue, unsigned char **buf, size_t *lenremain) +{ + if (*lenremain < sizeof(queue)) + return ENOMEM; + (void) memcpy(*buf, vqueue, sizeof(queue)); + *buf += sizeof(queue); + *lenremain -= sizeof(queue); + + return 0; +} + +gss_uint32 +g_queue_internalize(void **vqueue, unsigned char **buf, size_t *lenremain) +{ + void *q; + + if (*lenremain < sizeof(queue)) + return EINVAL; + if ((q = malloc(sizeof(queue))) == 0) + return ENOMEM; + (void) memcpy(q, *buf, sizeof(queue)); + *buf += sizeof(queue); + *lenremain -= sizeof(queue); + *vqueue = q; + return 0; +} diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/krb5-kdc.p5m --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/krb5-kdc.p5m Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,132 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. +# + + default mangler.man.stability uncommitted> +set name=pkg.fmri \ + value=pkg:/security/kerberos-5/kdc@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) +set name=pkg.summary value="Kerberos V5 Key Distribution Center (KDC)" +set name=pkg.description \ + value="The Kerberos service is a client-server architecture that provides secure transactions over networks and offers strong, single sign-on user authentication, as well as integrity and privacy. The server package provides for the administration of Kerberos principals, policies, and service key tables (keytabs). It can also be used to configure master and slave Key Distribution Centers (KDCs)." +set name=com.oracle.info.description \ + value="Kerberos V5 Key Distribution Center (KDC)" +set name=com.oracle.info.tpno value=$(TPNO) +set name=info.classification value=org.opensolaris.category.2008:System/Security +set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) +set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) +set name=org.opensolaris.arc-caseid value=PSARC/2015/144 +set name=org.opensolaris.consolidation value=$(CONSOLIDATION) +file Solaris/kadmin.xml \ + path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/kadmin.xml \ + restart_fmri=svc:/system/manifest-import:default +file Solaris/krb5_prop.xml \ + path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5_prop.xml \ + restart_fmri=svc:/system/manifest-import:default +file Solaris/krb5kdc.xml \ + path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5kdc.xml \ + restart_fmri=svc:/system/manifest-import:default +link path=lib/svc/manifest/network/security/kadmin.xml \ + target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/kadmin.xml \ + mediator=kerberos5 mediator-implementation=MIT +link path=lib/svc/manifest/network/security/krb5_prop.xml \ + target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5_prop.xml \ + mediator=kerberos5 mediator-implementation=MIT +link path=lib/svc/manifest/network/security/krb5kdc.xml \ + target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5kdc.xml \ + mediator=kerberos5 mediator-implementation=MIT +file usr/sbin/kadmin.local \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmin.local +file usr/sbin/kadmind \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmind +file usr/sbin/kdb5_ldap_util \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_ldap_util +file usr/sbin/kdb5_util \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_util +file usr/sbin/kprop path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kprop +file usr/sbin/kpropd \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kpropd +file usr/sbin/kproplog \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kproplog +file usr/sbin/krb5kdc \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/krb5kdc +file src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \ + path=usr/kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.ldif +file src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \ + path=usr/kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.schema +dir path=usr/lib/$(MACH64)/krb5/plugins/kdb +file path=usr/lib/$(MACH64)/krb5/plugins/kdb/db2.so +file path=usr/lib/$(MACH64)/krb5/plugins/kdb/kldap.so +link path=usr/lib/$(MACH64)/libkdb_ldap.so target=libkdb_ldap.so.1.0 +link path=usr/lib/$(MACH64)/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0 +file path=usr/lib/$(MACH64)/libkdb_ldap.so.1.0 +link path=usr/lib/krb5/kadmind \ + target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmind \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/krb5/kprop \ + target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kprop \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/krb5/kpropd \ + target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kpropd \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/krb5/krb5kdc \ + target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/krb5kdc \ + mediator=kerberos5 mediator-implementation=MIT +dir path=usr/lib/krb5/plugins/kdb +file path=usr/lib/krb5/plugins/kdb/db2.so +file path=usr/lib/krb5/plugins/kdb/kldap.so +link path=usr/lib/libkdb_ldap.so target=libkdb_ldap.so.1.0 mediator=kerberos5 \ + mediator-implementation=MIT +link path=usr/lib/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0 \ + mediator=kerberos5 mediator-implementation=MIT +file path=usr/lib/libkdb_ldap.so.1.0 +link path=usr/sbin/kadmin.local \ + target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmin.local \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/sbin/kdb5_ldap_util \ + target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_ldap_util \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/sbin/kdb5_util \ + target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_util \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/sbin/kprop target=../lib/krb5/kprop mediator=kerberos5 \ + mediator-implementation=MIT +link path=usr/sbin/kproplog \ + target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kproplog \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/share/lib/ldif/kerberos.ldif \ + target=../../../kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.ldif \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/share/lib/ldif/kerberos.schema \ + target=../../../kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.schema \ + mediator=kerberos5 mediator-implementation=MIT +file path=usr/share/man/man5/kadm5.acl.5 +file path=usr/share/man/man5/kdc.conf.5 +file path=usr/share/man/man8/kadmin.local.8 +file path=usr/share/man/man8/kadmind.8 +file path=usr/share/man/man8/kdb5_ldap_util.8 +file path=usr/share/man/man8/kdb5_util.8 +file path=usr/share/man/man8/kprop.8 +file path=usr/share/man/man8/kpropd.8 +file path=usr/share/man/man8/kproplog.8 +file path=usr/share/man/man8/krb5kdc.8 +license krb5.license license="BSD, BSD-like (KerberosV5)" +depend type=require fmri=system/security/kerberos-5 diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/krb5-message-files.p5m --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/krb5-message-files.p5m Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,33 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. +# + +set name=pkg.fmri \ + value=pkg://$(PUBLISHER_LOCALIZABLE)/security/kerberos-5-message-files@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) +set name=pkg.summary value="Translatable content for KerberosV5" +set name=pkg.description value="Translatable content for KerberosV5" +set name=com.oracle.info.tpno value=$(TPNO) +set name=info.classification value=org.opensolaris.category.2008:System/Security +set name=org.opensolaris.arc-caseid value=PSARC/2015/144 +set name=org.opensolaris.consolidation value=$(CONSOLIDATION) +file src/po/mit-krb5.pot path=usr/share/applications/mit-krb5.pot +license krb5.license license="BSD, BSD-like (KerberosV5)" diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/krb5.license --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/krb5.license Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,1286 @@ +Copyright (C) 1985-2015 by the Massachusetts Institute of Technology. + +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +* Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +Downloading of this software may constitute an export of cryptographic +software from the United States of America that is subject to the +United States Export Administration Regulations (EAR), 15 CFR 730-774. +Additional laws or regulations may apply. It is the responsibility of +the person or entity contemplating export to comply with all +applicable export laws and regulations, including obtaining any +required license from the U.S. government. + +The U.S. government prohibits export of encryption source code to +certain countries and individuals, including, but not limited to, the +countries of Cuba, Iran, North Korea, Sudan, Syria, and residents and +nationals of those countries. + +Documentation components of this software distribution are licensed +under a Creative Commons Attribution-ShareAlike 3.0 Unported License. +(http://creativecommons.org/licenses/by-sa/3.0/) + +Individual source code files are copyright MIT, Cygnus Support, +Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, +FundsXpress, and others. + +Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, +and Zephyr are trademarks of the Massachusetts Institute of Technology +(MIT). No commercial use of these trademarks may be made without +prior written permission of MIT. + +"Commercial use" means use of a name in a product or other for-profit +manner. It does NOT prevent a commercial firm from referring to the +MIT trademarks in order to convey information (although in doing so, +recognition of their trademark status should be given). + +====================================================================== + +The following copyright and permission notice applies to the +OpenVision Kerberos Administration system located in "kadmin/create", +"kadmin/dbutil", "kadmin/passwd", "kadmin/server", "lib/kadm5", and +portions of "lib/rpc": + + Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights + Reserved + + WARNING: Retrieving the OpenVision Kerberos Administration system + source code, as described below, indicates your acceptance of the + following terms. If you do not agree to the following terms, do + not retrieve the OpenVision Kerberos administration system. + + You may freely use and distribute the Source Code and Object Code + compiled from it, with or without modification, but this Source + Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, + INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR + FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER + EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY + FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR + CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, + WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE + CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY + OTHER REASON. + + OpenVision retains all copyrights in the donated Source Code. + OpenVision also retains copyright to derivative works of the Source + Code, whether created by OpenVision or by a third party. The + OpenVision copyright notice must be preserved if derivative works + are made based on the donated Source Code. + + OpenVision Technologies, Inc. has donated this Kerberos + Administration system to MIT for inclusion in the standard Kerberos + 5 distribution. This donation underscores our commitment to + continuing Kerberos technology development and our gratitude for + the valuable work which has been performed by MIT and the Kerberos + community. + +====================================================================== + + Portions contributed by Matt Crawford "crawdad@fnal.gov" were work + performed at Fermi National Accelerator Laboratory, which is + operated by Universities Research Association, Inc., under contract + DE-AC02-76CHO3000 with the U.S. Department of Energy. + +====================================================================== + +Portions of "src/lib/crypto" have the following copyright: + + Copyright (C) 1998 by the FundsXpress, INC. + + All rights reserved. + + Export of this software from the United States of America may + require a specific license from the United States Government. + It is the responsibility of any person or organization + contemplating export to obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + distribute this software and its documentation for any purpose and + without fee is hereby granted, provided that the above copyright + notice appear in all copies and that both that copyright notice and + this permission notice appear in supporting documentation, and that + the name of FundsXpress. not be used in advertising or publicity + pertaining to distribution of the software without specific, + written prior permission. FundsXpress makes no representations + about the suitability of this software for any purpose. It is + provided "as is" without express or implied warranty. + + THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +====================================================================== + +The implementation of the AES encryption algorithm in +"src/lib/crypto/builtin/aes" has the following copyright: + + Copyright (C) 2001, Dr Brian Gladman "brg@gladman.uk.net", Worcester, UK. + All rights reserved. + + LICENSE TERMS + + The free distribution and use of this software in both source and + binary form is allowed (with or without changes) provided that: + + 1. distributions of this source code include the above copyright + notice, this list of conditions and the following disclaimer; + + 2. distributions in binary form include the above copyright notice, + this list of conditions and the following disclaimer in the + documentation and/or other associated materials; + + 3. the copyright holder's name is not used to endorse products + built using this software without specific written permission. + + DISCLAIMER + + This software is provided 'as is' with no explcit or implied + warranties in respect of any properties, including, but not limited + to, correctness and fitness for purpose. + +====================================================================== + +Portions contributed by Red Hat, including the pre-authentication +plug-in framework and the NSS crypto implementation, contain the +following copyright: + + Copyright (C) 2006 Red Hat, Inc. + Portions copyright (C) 2006 Massachusetts Institute of Technology + All Rights Reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + * Neither the name of Red Hat, Inc., nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + +The bundled verto source code is subject to the following license: + + Copyright 2011 Red Hat, Inc. + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT + HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. + +====================================================================== + +The MS-KKDCP client implementation has the following copyright: + + Copyright 2013,2014 Red Hat, Inc. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + +The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in +"src/lib/gssapi", including the following files: + + lib/gssapi/generic/gssapi_err_generic.et + lib/gssapi/mechglue/g_accept_sec_context.c + lib/gssapi/mechglue/g_acquire_cred.c + lib/gssapi/mechglue/g_canon_name.c + lib/gssapi/mechglue/g_compare_name.c + lib/gssapi/mechglue/g_context_time.c + lib/gssapi/mechglue/g_delete_sec_context.c + lib/gssapi/mechglue/g_dsp_name.c + lib/gssapi/mechglue/g_dsp_status.c + lib/gssapi/mechglue/g_dup_name.c + lib/gssapi/mechglue/g_exp_sec_context.c + lib/gssapi/mechglue/g_export_name.c + lib/gssapi/mechglue/g_glue.c + lib/gssapi/mechglue/g_imp_name.c + lib/gssapi/mechglue/g_imp_sec_context.c + lib/gssapi/mechglue/g_init_sec_context.c + lib/gssapi/mechglue/g_initialize.c + lib/gssapi/mechglue/g_inquire_context.c + lib/gssapi/mechglue/g_inquire_cred.c + lib/gssapi/mechglue/g_inquire_names.c + lib/gssapi/mechglue/g_process_context.c + lib/gssapi/mechglue/g_rel_buffer.c + lib/gssapi/mechglue/g_rel_cred.c + lib/gssapi/mechglue/g_rel_name.c + lib/gssapi/mechglue/g_rel_oid_set.c + lib/gssapi/mechglue/g_seal.c + lib/gssapi/mechglue/g_sign.c + lib/gssapi/mechglue/g_store_cred.c + lib/gssapi/mechglue/g_unseal.c + lib/gssapi/mechglue/g_userok.c + lib/gssapi/mechglue/g_utils.c + lib/gssapi/mechglue/g_verify.c + lib/gssapi/mechglue/gssd_pname_to_uid.c + lib/gssapi/mechglue/mglueP.h + lib/gssapi/mechglue/oid_ops.c + lib/gssapi/spnego/gssapiP_spnego.h + lib/gssapi/spnego/spnego_mech.c + +and the initial implementation of incremental propagation, including +the following new or changed files: + + include/iprop_hdr.h + kadmin/server/ipropd_svc.c + lib/kdb/iprop.x + lib/kdb/kdb_convert.c + lib/kdb/kdb_log.c + lib/kdb/kdb_log.h + lib/krb5/error_tables/kdb5_err.et + slave/kpropd_rpc.c + slave/kproplog.c + +are subject to the following license: + + Copyright (C) 2004 Sun Microsystems, Inc. + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +====================================================================== + +Kerberos V5 includes documentation and software developed at the +University of California at Berkeley, which includes this copyright +notice: + + Copyright (C) 1983 Regents of the University of California. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of the University nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS + OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +====================================================================== + +Portions contributed by Novell, Inc., including the LDAP database +backend, are subject to the following license: + + Copyright (C) 2004-2005, Novell, Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + * The copyright holder's name is not used to endorse or promote + products derived from this software without specific prior + written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + +Portions funded by Sandia National Laboratory and developed by the +University of Michigan's Center for Information Technology +Integration, including the PKINIT implementation, are subject to the +following license: + + COPYRIGHT (C) 2006-2007 + THE REGENTS OF THE UNIVERSITY OF MICHIGAN + ALL RIGHTS RESERVED + + Permission is granted to use, copy, create derivative works and + redistribute this software and such derivative works for any + purpose, so long as the name of The University of Michigan is not + used in any advertising or publicity pertaining to the use of + distribution of this software without specific, written prior + authorization. If the above copyright notice or any other + identification of the University of Michigan is included in any + copy of any portion of this software, then the disclaimer below + must also be included. + + THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE + UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND + WITHOUT WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER + EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE FOR + ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR + CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR + IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR + IS HEREAFTER ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +====================================================================== + +The pkcs11.h file included in the PKINIT code has the following +license: + + Copyright 2006 g10 Code GmbH + Copyright 2006 Andreas Jellinghaus + + This file is free software; as a special exception the author gives + unlimited permission to copy and/or distribute it, with or without + modifications, as long as this notice is preserved. + + This file is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY, to the extent permitted by law; without even + the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. + +====================================================================== + +Portions contributed by Apple Inc. are subject to the following +license: + + Copyright 2004-2008 Apple Inc. All Rights Reserved. + + Export of this software from the United States of America may + require a specific license from the United States Government. + It is the responsibility of any person or organization + contemplating export to obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + distribute this software and its documentation for any purpose and + without fee is hereby granted, provided that the above copyright + notice appear in all copies and that both that copyright notice and + this permission notice appear in supporting documentation, and that + the name of Apple Inc. not be used in advertising or publicity + pertaining to distribution of the software without specific, + written prior permission. Apple Inc. makes no representations + about the suitability of this software for any purpose. It is + provided "as is" without express or implied warranty. + + THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +====================================================================== + +The implementations of UTF-8 string handling in src/util/support and +src/lib/krb5/unicode are subject to the following copyright and +permission notice: + + The OpenLDAP Public License + Version 2.8, 17 August 2003 + + Redistribution and use of this software and associated + documentation ("Software"), with or without modification, are + permitted provided that the following conditions are met: + + 1. Redistributions in source form must retain copyright statements + and notices, + + 2. Redistributions in binary form must reproduce applicable + copyright statements and notices, this list of conditions, and + the following disclaimer in the documentation and/or other + materials provided with the distribution, and + + 3. Redistributions must contain a verbatim copy of this document. + + The OpenLDAP Foundation may revise this license from time to time. + Each revision is distinguished by a version number. You may use + this Software under terms of this license revision or under the + terms of any subsequent revision of the license. + + THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS + CONTRIBUTORS "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS + CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. + + The names of the authors and copyright holders must not be used in + advertising or otherwise to promote the sale, use or other dealing + in this Software without specific, written prior permission. Title + to copyright in this Software shall at all times remain with + copyright holders. + + OpenLDAP is a registered trademark of the OpenLDAP Foundation. + + Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, + California, USA. All Rights Reserved. Permission to copy and + distribute verbatim copies of this document is granted. + +====================================================================== + +Marked test programs in src/lib/krb5/krb have the following copyright: + + Copyright (C) 2006 Kungliga Tekniska Ho"gskola + (Royal Institute of Technology, Stockholm, Sweden). + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of KTH nor the names of its contributors may be + used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +====================================================================== + +The KCM Mach RPC definition file used on OS X has the following +copyright: + + Copyright (C) 2009 Kungliga Tekniska Ho"gskola + (Royal Institute of Technology, Stockholm, Sweden). + All rights reserved. + + Portions Copyright (C) 2009 Apple Inc. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of the Institute nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE + OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +====================================================================== + +Portions of the RPC implementation in src/lib/rpc and +src/include/gssrpc have the following copyright and permission notice: + + Copyright (C) 2010, Oracle America, Inc. + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of the "Oracle America, Inc." nor the names of + its contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + + Copyright (C) 2006,2007,2009 NTT (Nippon Telegraph and Telephone + Corporation). All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer as + the first lines of this file unmodified. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + THIS SOFTWARE IS PROVIDED BY NTT "AS IS" AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + + Copyright 2000 by Carnegie Mellon University + + All Rights Reserved + + Permission to use, copy, modify, and distribute this software and + its documentation for any purpose and without fee is hereby + granted, provided that the above copyright notice appear in all + copies and that both that copyright notice and this permission + notice appear in supporting documentation, and that the name of + Carnegie Mellon University not be used in advertising or publicity + pertaining to distribution of the software without specific, + written prior permission. + + CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO + THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE + FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN + AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + SOFTWARE. + +====================================================================== + + Copyright (C) 2002 Naval Research Laboratory (NRL/CCS) + + Permission to use, copy, modify and distribute this software and + its documentation is hereby granted, provided that both the + copyright notice and this permission notice appear in all copies of + the software, derivative works or modified versions, and any + portions thereof. + + NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" CONDITION AND + DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER + RESULTING FROM THE USE OF THIS SOFTWARE. + +====================================================================== + +Portions extracted from Internet RFCs have the following copyright +notice: + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on + an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE + REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT + THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR + ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A + PARTICULAR PURPOSE. + +====================================================================== + + Copyright (C) 1991, 1992, 1994 by Cygnus Support. + + Permission to use, copy, modify, and distribute this software and + its documentation for any purpose and without fee is hereby + granted, provided that the above copyright notice appear in all + copies and that both that copyright notice and this permission + notice appear in supporting documentation. Cygnus Support makes no + representations about the suitability of this software for any + purpose. It is provided "as is" without express or implied + warranty. + +====================================================================== + + Copyright (C) 2006 Secure Endpoints Inc. + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +====================================================================== + +Portions of the implementation of the Fortuna-like PRNG are subject to +the following notice: + + Copyright (C) 2005 Marko Kreen + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + + Copyright (C) 1994 by the University of Southern California + + EXPORT OF THIS SOFTWARE from the United States of America may + require a specific license from the United States Government. It + is the responsibility of any person or organization + contemplating export to obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute + this software and its documentation in source and binary forms is + hereby granted, provided that any documentation or other materials + related to such distribution or use acknowledge that the software + was developed by the University of Southern California. + + DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The + University of Southern California MAKES NO REPRESENTATIONS OR + WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not + limitation, the University of Southern California MAKES NO + REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY + PARTICULAR PURPOSE. The University of Southern California shall not + be held liable for any liability nor for any direct, indirect, or + consequential damages with respect to any claim by the user or + distributor of the ksu software. + +====================================================================== + + Copyright (C) 1995 + The President and Fellows of Harvard University + + This code is derived from software contributed to Harvard by Jeremy + Rassen. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgement: + + This product includes software developed by the University of + California, Berkeley and its contributors. + + 4. Neither the name of the University nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS + OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +====================================================================== + + Copyright (C) 2008 by the Massachusetts Institute of Technology. + Copyright 1995 by Richard P. Basch. All Rights Reserved. + Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. + + Export of this software from the United States of America may + require a specific license from the United States Government. It + is the responsibility of any person or organization + contemplating export to obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + distribute this software and its documentation for any purpose and + without fee is hereby granted, provided that the above copyright + notice appear in all copies and that both that copyright notice and + this permission notice appear in supporting documentation, and that + the name of Richard P. Basch, Lehman Brothers and M.I.T. not be + used in advertising or publicity pertaining to distribution of the + software without specific, written prior permission. Richard P. + Basch, Lehman Brothers and M.I.T. make no representations about the + suitability of this software for any purpose. It is provided "as + is" without express or implied warranty. + +====================================================================== + +The following notice applies to "src/lib/krb5/krb/strptime.c" and +"src/include/k5-queue.h". + + Copyright (C) 1997, 1998 The NetBSD Foundation, Inc. + All rights reserved. + + This code was contributed to The NetBSD Foundation by Klaus Klein. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgement: + + This product includes software developed by the NetBSD + Foundation, Inc. and its contributors. + + 4. Neither the name of The NetBSD Foundation nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND + CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. + +====================================================================== + +The following notice applies to Unicode library files in +"src/lib/krb5/unicode": + + Copyright 1997, 1998, 1999 Computing Research Labs, + New Mexico State University + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE COMPUTING RESEARCH LAB OR + NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY CLAIM, DAMAGES OR + OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE + OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +====================================================================== + +The following notice applies to "src/util/support/strlcpy.c": + + Copyright (C) 1998 Todd C. Miller "Todd.Miller@courtesan.com" + + Permission to use, copy, modify, and distribute this software for + any purpose with or without fee is hereby granted, provided that + the above copyright notice and this permission notice appear in all + copies. + + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL + WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR + CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS + OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +====================================================================== + +The following notice applies to "src/util/profile/argv_parse.c" and +"src/util/profile/argv_parse.h": + + Copyright 1999 by Theodore Ts'o. + + Permission to use, copy, modify, and distribute this software for + any purpose with or without fee is hereby granted, provided that + the above copyright notice and this permission notice appear in all + copies. THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE + AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN + NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, + INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER + RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't + it sick that the U.S. culture of lawsuit-happy lawyers requires + this kind of disclaimer?) + +====================================================================== + +The following notice applies to SWIG-generated code in +"src/util/profile/profile_tcl.c": + + Copyright (C) 1999-2000, The University of Chicago + + This file may be freely redistributed without license or fee + provided this copyright message remains intact. + +====================================================================== + +The following notice applies to portiions of "src/lib/rpc" and +"src/include/gssrpc": + + Copyright (C) 2000 The Regents of the University of Michigan. All + rights reserved. + + Copyright (C) 2000 Dug Song "dugsong@UMICH.EDU". All rights + reserved, all wrongs reversed. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of the University nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. + +====================================================================== + +Implementations of the MD4 algorithm are subject to the following +notice: + + Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD4 Message Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD4 Message Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + +====================================================================== + +Implementations of the MD5 algorithm are subject to the following +notice: + + Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD5 Message- Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD5 Message-Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + +====================================================================== + +The following notice applies to +"src/lib/crypto/crypto_tests/t_mddriver.c": + + Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All + rights reserved. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" without + express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + +====================================================================== + +Portions of "src/lib/krb5" are subject to the following notice: + + Copyright (C) 1994 CyberSAFE Corporation. + Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. + All Rights Reserved. + + Export of this software from the United States of America may + require a specific license from the United States Government. It + is the responsibility of any person or organization + contemplating export to obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + distribute this software and its documentation for any purpose and + without fee is hereby granted, provided that the above copyright + notice appear in all copies and that both that copyright notice and + this permission notice appear in supporting documentation, and that + the name of M.I.T. not be used in advertising or publicity + pertaining to distribution of the software without specific, + written prior permission. Furthermore if you modify this software + you must label your software as modified software and not + distribute it in such a fashion that it might be confused with the + original M.I.T. software. Neither M.I.T., the Open Computing + Security Group, nor CyberSAFE Corporation make any representations + about the suitability of this software for any purpose. It is + provided "as is" without express or implied warranty. + +====================================================================== + +Portions contributed by PADL Software are subject to the following +license: + + Copyright (c) 2011, PADL Software Pty Ltd. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of PADL Software nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE + OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +====================================================================== + +The bundled libev source code is subject to the following license: + + All files in libev are Copyright (C)2007,2008,2009 Marc Alexander + Lehmann. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + + Alternatively, the contents of this package may be used under the + terms of the GNU General Public License ("GPL") version 2 or any + later version, in which case the provisions of the GPL are + applicable instead of the above. If you wish to allow the use of + your version of this package only under the terms of the GPL and + not to allow others to use your version of this file under the BSD + license, indicate your decision by deleting the provisions above + and replace them with the notice and other provisions required by + the GPL in this and the other files of this package. If you do not + delete the provisions above, a recipient may use your version of + this file under either the BSD or the GPL. + +====================================================================== + +Files copied from the Intel AESNI Sample Library are subject to the +following license: + + Copyright (C) 2010, Intel Corporation + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + * Neither the name of Intel Corporation nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/krb5.p5m --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/krb5.p5m Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,528 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. +# + + default mangler.man.stability uncommitted> +set name=pkg.fmri \ + value=pkg:/security/kerberos-5@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) +set name=pkg.summary value="Kerberos V5 Support" +set name=pkg.description \ + value="The Kerberos service is a client-server architecture that provides secure transactions over networks and offers strong, single sign-on user authentication, as well as integrity and privacy." +set name=com.oracle.info.description value="Kerberos V5 Support" +set name=com.oracle.info.tpno value=$(TPNO) +set name=info.classification value=org.opensolaris.category.2008:System/Security +set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) +set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) +set name=org.opensolaris.arc-caseid value=PSARC/2015/144 +set name=org.opensolaris.consolidation value=$(CONSOLIDATION) +dir path=etc/gss/mech.d group=sys +link path=usr/bin/kdestroy \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kdestroy \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/bin/kinit \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kinit \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/bin/klist \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/klist \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/bin/kpasswd \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kpasswd \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/bin/krb5-config \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/krb5-config \ + mediator=kerberos5 mediator-implementation=MIT +file path=usr/bin/kswitch +link path=usr/bin/ktutil \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/ktutil \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/bin/kvno \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kvno \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/include/gssapi/gssapi.h \ + target=../../kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi.h \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/include/gssapi/gssapi_ext.h \ + target=../../kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi_ext.h \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/include/kerberosv5/com_err.h \ + target=../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/com_err.h \ + mediator=kerberos5 mediator-implementation=MIT +dir path=usr/include/kerberosv5/gssapi +file path=usr/include/kerberosv5/gssapi.h +file path=usr/include/kerberosv5/gssapi/gssapi_generic.h +file path=usr/include/kerberosv5/gssapi/gssapi_krb5.h +file path=usr/include/kerberosv5/gssapi/mechglue.h +dir path=usr/include/kerberosv5/kadm5 +file path=usr/include/kerberosv5/kadm5/admin.h +file path=usr/include/kerberosv5/kadm5/chpass_util_strings.h +file path=usr/include/kerberosv5/kadm5/kadm_err.h +file path=usr/include/kerberosv5/kdb.h +file path=usr/include/kerberosv5/krad.h +dir path=usr/include/kerberosv5/krb5 +link path=usr/include/kerberosv5/krb5.h \ + target=../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/krb5.h \ + mediator=kerberos5 mediator-implementation=MIT +file path=usr/include/kerberosv5/krb5/ccselect_plugin.h +file path=usr/include/kerberosv5/krb5/clpreauth_plugin.h +file path=usr/include/kerberosv5/krb5/hostrealm_plugin.h +file path=usr/include/kerberosv5/krb5/kadm5_hook_plugin.h +file path=usr/include/kerberosv5/krb5/kdcpreauth_plugin.h +file path=usr/include/kerberosv5/krb5/krb5.h +file path=usr/include/kerberosv5/krb5/localauth_plugin.h +file path=usr/include/kerberosv5/krb5/locate_plugin.h +file path=usr/include/kerberosv5/krb5/plugin.h +file path=usr/include/kerberosv5/krb5/preauth_plugin.h +file path=usr/include/kerberosv5/krb5/pwqual_plugin.h +link path=usr/include/kerberosv5/private/krb5/keytab/kt_solaris.h \ + target=../../../../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/private/krb5/keytab/kt_solaris.h \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/prof_solaris.h \ + path=usr/include/kerberosv5/private/krb5/prof_solaris.h +file path=usr/include/kerberosv5/profile.h +file path=usr/include/kerberosv5/verto-module.h +file path=usr/include/kerberosv5/verto.h +file usr/bin/k5srvutil \ + path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/k5srvutil +file usr/bin/kadmin path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kadmin +file usr/bin/kdestroy \ + path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kdestroy +file usr/bin/kinit path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kinit +file usr/bin/klist path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/klist +file usr/bin/kpasswd \ + path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kpasswd +file usr/bin/ktutil path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/ktutil +file usr/bin/kvno path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kvno +file usr/bin/krb5-config path=usr/kerberos5/$(COMPONENT_VERSION)/bin/krb5-config +file usr/include/kerberosv5/gssapi/gssapi.h \ + path=usr/kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi.h +file usr/include/kerberosv5/gssapi/gssapi_ext.h \ + path=usr/kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi_ext.h +file usr/include/kerberosv5/com_err.h \ + path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/com_err.h +file usr/include/kerberosv5/krb5.h \ + path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/krb5.h +file Solaris/kt_solaris.h \ + path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/private/krb5/keytab/kt_solaris.h +file usr/lib/$(MACH64)/libgss.so.1 \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libgss.so.1 +file usr/lib/$(MACH64)/libkadm5clnt.so.1 \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkadm5clnt.so.1 +file usr/lib/$(MACH64)/libkrb5.so.1 \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkrb5.so.1 +file usr/lib/krb5/plugins/preauth/pkinit.so \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/krb5/plugins/preauth/pkinit.so +file usr/lib/libgss.so.1 path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libgss.so.1 +file usr/lib/libkadm5clnt.so.1 \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libkadm5clnt.so.1 +file usr/lib/libkrb5.so.1 \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libkrb5.so.1 +dir path=usr/lib/$(MACH64)/krb5 +dir path=usr/lib/$(MACH64)/krb5/plugins +dir path=usr/lib/$(MACH64)/krb5/plugins/authdata +dir path=usr/lib/$(MACH64)/krb5/plugins/libkrb5 +dir path=usr/lib/$(MACH64)/krb5/plugins/preauth +file path=usr/lib/$(MACH64)/krb5/plugins/preauth/otp.so +file path=usr/lib/$(MACH64)/krb5/plugins/preauth/pkinit.so +dir path=usr/lib/$(MACH64)/krb5/plugins/tls +file path=usr/lib/$(MACH64)/krb5/plugins/tls/k5tls.so +link path=usr/lib/$(MACH64)/libcom_err.so target=libcom_err.so.3.0 +link path=usr/lib/$(MACH64)/libcom_err.so.3 target=libcom_err.so.3.0 +file path=usr/lib/$(MACH64)/libcom_err.so.3.0 +link path=usr/lib/$(MACH64)/libgss.so target=libgssapi_krb5.so.2.2 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/$(MACH64)/libgss.so.1 \ + target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libgss.so.1 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/$(MACH64)/libgssapi_krb5.so target=libgssapi_krb5.so.2.2 +link path=usr/lib/$(MACH64)/libgssapi_krb5.so.2 target=libgssapi_krb5.so.2.2 +file path=usr/lib/$(MACH64)/libgssapi_krb5.so.2.2 +link path=usr/lib/$(MACH64)/libk5crypto.so target=libk5crypto.so.3.1 +link path=usr/lib/$(MACH64)/libk5crypto.so.3 target=libk5crypto.so.3.1 +file path=usr/lib/$(MACH64)/libk5crypto.so.3.1 +link path=usr/lib/$(MACH64)/libkadm5clnt.so target=libkadm5clnt_mit.so \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/$(MACH64)/libkadm5clnt.so.1 \ + target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkadm5clnt.so.1 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.9.0 +link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.9 target=libkadm5clnt_mit.so.9.0 +file path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.9.0 +link path=usr/lib/$(MACH64)/libkadm5srv.so target=libkadm5srv_mit.so +link path=usr/lib/$(MACH64)/libkadm5srv_mit.so target=libkadm5srv_mit.so.9.0 +link path=usr/lib/$(MACH64)/libkadm5srv_mit.so.9 target=libkadm5srv_mit.so.9.0 +file path=usr/lib/$(MACH64)/libkadm5srv_mit.so.9.0 +link path=usr/lib/$(MACH64)/libkdb5.so target=libkdb5.so.8.0 +link path=usr/lib/$(MACH64)/libkdb5.so.8 target=libkdb5.so.8.0 +file path=usr/lib/$(MACH64)/libkdb5.so.8.0 +link path=usr/lib/$(MACH64)/libkrad.so target=libkrad.so.0.0 +link path=usr/lib/$(MACH64)/libkrad.so.0 target=libkrad.so.0.0 +file path=usr/lib/$(MACH64)/libkrad.so.0.0 +link path=usr/lib/$(MACH64)/libkrb5.so target=libkrb5.so.3.3 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/$(MACH64)/libkrb5.so.1 \ + target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkrb5.so.1 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/$(MACH64)/libkrb5.so.3 target=libkrb5.so.3.3 +file path=usr/lib/$(MACH64)/libkrb5.so.3.3 +link path=usr/lib/$(MACH64)/libkrb5support.so target=libkrb5support.so.0.1 +link path=usr/lib/$(MACH64)/libkrb5support.so.0 target=libkrb5support.so.0.1 +file path=usr/lib/$(MACH64)/libkrb5support.so.0.1 +link path=usr/lib/$(MACH64)/libverto.so target=libverto.so.0.0 +link path=usr/lib/$(MACH64)/libverto.so.0 target=libverto.so.0.0 +file path=usr/lib/$(MACH64)/libverto.so.0.0 +file path=usr/lib/$(MACH64)/pkgconfig/kadm-client.pc +file path=usr/lib/$(MACH64)/pkgconfig/kadm-server.pc +file path=usr/lib/$(MACH64)/pkgconfig/kdb.pc +file path=usr/lib/$(MACH64)/pkgconfig/krb5-gssapi.pc +file path=usr/lib/$(MACH64)/pkgconfig/krb5.pc +file path=usr/lib/$(MACH64)/pkgconfig/mit-krb5-gssapi.pc +file path=usr/lib/$(MACH64)/pkgconfig/mit-krb5.pc +dir path=usr/lib/krb5 +dir path=usr/lib/krb5/plugins +dir path=usr/lib/krb5/plugins/authdata +dir path=usr/lib/krb5/plugins/libkrb5 +dir path=usr/lib/krb5/plugins/preauth +file path=usr/lib/krb5/plugins/preauth/otp.so +link path=usr/lib/krb5/plugins/preauth/pkinit.so \ + target=../../../../kerberos5/$(COMPONENT_VERSION)/lib/krb5/plugins/preauth/pkinit.so \ + mediator=kerberos5 mediator-implementation=MIT +dir path=usr/lib/krb5/plugins/tls +file path=usr/lib/krb5/plugins/tls/k5tls.so +link path=usr/lib/libcom_err.so target=libcom_err.so.3.0 +link path=usr/lib/libcom_err.so.3 target=libcom_err.so.3.0 +file path=usr/lib/libcom_err.so.3.0 +link path=usr/lib/libgss.so target=libgssapi_krb5.so.2.2 mediator=kerberos5 \ + mediator-implementation=MIT +link path=usr/lib/libgss.so.1 \ + target=../kerberos5/$(COMPONENT_VERSION)/lib/libgss.so.1 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/libgssapi_krb5.so target=libgssapi_krb5.so.2.2 +link path=usr/lib/libgssapi_krb5.so.2 target=libgssapi_krb5.so.2.2 +file path=usr/lib/libgssapi_krb5.so.2.2 +link path=usr/lib/libk5crypto.so target=libk5crypto.so.3.1 +link path=usr/lib/libk5crypto.so.3 target=libk5crypto.so.3.1 +file path=usr/lib/libk5crypto.so.3.1 +link path=usr/lib/libkadm5clnt.so target=libkadm5clnt_mit.so \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/libkadm5clnt.so.1 \ + target=../kerberos5/$(COMPONENT_VERSION)/lib/libkadm5clnt.so.1 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.9.0 +link path=usr/lib/libkadm5clnt_mit.so.9 target=libkadm5clnt_mit.so.9.0 +file path=usr/lib/libkadm5clnt_mit.so.9.0 +link path=usr/lib/libkadm5srv.so target=libkadm5srv_mit.so mediator=kerberos5 \ + mediator-implementation=MIT +link path=usr/lib/libkadm5srv_mit.so target=libkadm5srv_mit.so.9.0 +link path=usr/lib/libkadm5srv_mit.so.9 target=libkadm5srv_mit.so.9.0 +file path=usr/lib/libkadm5srv_mit.so.9.0 +link path=usr/lib/libkdb5.so target=libkdb5.so.8.0 +link path=usr/lib/libkdb5.so.8 target=libkdb5.so.8.0 +file path=usr/lib/libkdb5.so.8.0 +link path=usr/lib/libkrad.so target=libkrad.so.0.0 +link path=usr/lib/libkrad.so.0 target=libkrad.so.0.0 +file path=usr/lib/libkrad.so.0.0 +link path=usr/lib/libkrb5.so target=libkrb5.so.3.3 mediator=kerberos5 \ + mediator-implementation=MIT +link path=usr/lib/libkrb5.so.1 \ + target=../kerberos5/$(COMPONENT_VERSION)/lib/libkrb5.so.1 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/libkrb5.so.3 target=libkrb5.so.3.3 +file path=usr/lib/libkrb5.so.3.3 +link path=usr/lib/libkrb5support.so target=libkrb5support.so.0.1 +link path=usr/lib/libkrb5support.so.0 target=libkrb5support.so.0.1 +file path=usr/lib/libkrb5support.so.0.1 +link path=usr/lib/libverto.so target=libverto.so.0.0 +link path=usr/lib/libverto.so.0 target=libverto.so.0.0 +file path=usr/lib/libverto.so.0.0 +file path=usr/lib/pkgconfig/kadm-client.pc +file path=usr/lib/pkgconfig/kadm-server.pc +file path=usr/lib/pkgconfig/kdb.pc +file path=usr/lib/pkgconfig/krb5-gssapi.pc +file path=usr/lib/pkgconfig/krb5.pc +file path=usr/lib/pkgconfig/mit-krb5-gssapi.pc +file path=usr/lib/pkgconfig/mit-krb5.pc +link path=usr/sbin/k5srvutil \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/k5srvutil \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/sbin/kadmin \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kadmin \ + mediator=kerberos5 mediator-implementation=MIT +dir path=usr/share/et +file path=usr/share/et/et_c.awk +file path=usr/share/et/et_h.awk +dir path=usr/share/examples +dir path=usr/share/examples/krb5 +file path=usr/share/examples/krb5/services.append +file path=usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo +link path=usr/share/man/3lib/libgss.3lib target=./libgss.mit.3lib \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/libgss.3lib path=usr/share/man/3lib/libgss.mit.3lib +link path=usr/share/man/3lib/libkrb5.3lib target=./libkrb5.mit.3lib \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/libkrb5.3lib path=usr/share/man/3lib/libkrb5.mit.3lib +dir path=usr/share/man/cat1 +dir path=usr/share/man/cat5 +dir path=usr/share/man/cat8 +link path=usr/share/man/ja_JP.UTF-8/man5/kerberos.5 target=./kerberos.mit.5 \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/ja_JP.UTF-8/kerberos.5 \ + path=usr/share/man/ja_JP.UTF-8/man5/kerberos.mit.5 +link path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.5 \ + target=./krb5envvar.mit.5 mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/ja_JP.UTF-8/krb5envvar.5 \ + path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.mit.5 +file path=usr/share/man/man1/k5srvutil.1 +file path=usr/share/man/man1/kadmin.1 +link path=usr/share/man/man1/kdestroy.1 target=./kdestroy.mit.1 \ + mediator=kerberos5 mediator-implementation=MIT +file usr/share/man/man1/kdestroy.1 path=usr/share/man/man1/kdestroy.mit.1 +link path=usr/share/man/man1/kinit.1 target=./kinit.mit.1 mediator=kerberos5 \ + mediator-implementation=MIT +file usr/share/man/man1/kinit.1 path=usr/share/man/man1/kinit.mit.1 +link path=usr/share/man/man1/klist.1 target=./klist.mit.1 mediator=kerberos5 \ + mediator-implementation=MIT +file usr/share/man/man1/klist.1 path=usr/share/man/man1/klist.mit.1 +link path=usr/share/man/man1/kpasswd.1 target=./kpasswd.mit.1 \ + mediator=kerberos5 mediator-implementation=MIT +file usr/share/man/man1/kpasswd.1 path=usr/share/man/man1/kpasswd.mit.1 +link path=usr/share/man/man1/krb5-config.1 target=./krb5-config.mit.1 \ + mediator=kerberos5 mediator-implementation=MIT +file usr/share/man/man1/krb5-config.1 path=usr/share/man/man1/krb5-config.mit.1 +file path=usr/share/man/man1/kswitch.1 +link path=usr/share/man/man1/ktutil.1 target=./ktutil.mit.1 mediator=kerberos5 \ + mediator-implementation=MIT +file usr/share/man/man1/ktutil.1 path=usr/share/man/man1/ktutil.mit.1 +link path=usr/share/man/man1/kvno.1 target=./kvno.mit.1 mediator=kerberos5 \ + mediator-implementation=MIT +file usr/share/man/man1/kvno.1 path=usr/share/man/man1/kvno.mit.1 +link path=usr/share/man/man3gss/gss_accept_sec_context.3gss \ + target=./gss_accept_sec_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_accept_sec_context.3gss \ + path=usr/share/man/man3gss/gss_accept_sec_context.mit.3gss +link path=usr/share/man/man3gss/gss_acquire_cred.3gss \ + target=./gss_acquire_cred.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_acquire_cred.3gss \ + path=usr/share/man/man3gss/gss_acquire_cred.mit.3gss +link path=usr/share/man/man3gss/gss_add_cred.3gss \ + target=./gss_add_cred.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_add_cred.3gss \ + path=usr/share/man/man3gss/gss_add_cred.mit.3gss +link path=usr/share/man/man3gss/gss_add_oid_set_member.3gss \ + target=./gss_add_oid_set_member.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_add_oid_set_member.3gss \ + path=usr/share/man/man3gss/gss_add_oid_set_member.mit.3gss +link path=usr/share/man/man3gss/gss_canonicalize_name.3gss \ + target=./gss_canonicalize_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_canonicalize_name.3gss \ + path=usr/share/man/man3gss/gss_canonicalize_name.mit.3gss +link path=usr/share/man/man3gss/gss_compare_name.3gss \ + target=./gss_compare_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_compare_name.3gss \ + path=usr/share/man/man3gss/gss_compare_name.mit.3gss +link path=usr/share/man/man3gss/gss_context_time.3gss \ + target=./gss_context_time.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_context_time.3gss \ + path=usr/share/man/man3gss/gss_context_time.mit.3gss +link path=usr/share/man/man3gss/gss_create_empty_oid_set.3gss \ + target=./gss_create_empty_oid_set.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_create_empty_oid_set.3gss \ + path=usr/share/man/man3gss/gss_create_empty_oid_set.mit.3gss +link path=usr/share/man/man3gss/gss_delete_sec_context.3gss \ + target=./gss_delete_sec_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_delete_sec_context.3gss \ + path=usr/share/man/man3gss/gss_delete_sec_context.mit.3gss +link path=usr/share/man/man3gss/gss_display_name.3gss \ + target=./gss_display_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_display_name.3gss \ + path=usr/share/man/man3gss/gss_display_name.mit.3gss +link path=usr/share/man/man3gss/gss_display_status.3gss \ + target=./gss_display_status.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_display_status.3gss \ + path=usr/share/man/man3gss/gss_display_status.mit.3gss +link path=usr/share/man/man3gss/gss_duplicate_name.3gss \ + target=./gss_duplicate_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_duplicate_name.3gss \ + path=usr/share/man/man3gss/gss_duplicate_name.mit.3gss +link path=usr/share/man/man3gss/gss_export_name.3gss \ + target=./gss_export_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_export_name.3gss \ + path=usr/share/man/man3gss/gss_export_name.mit.3gss +link path=usr/share/man/man3gss/gss_export_sec_context.3gss \ + target=./gss_export_sec_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_export_sec_context.3gss \ + path=usr/share/man/man3gss/gss_export_sec_context.mit.3gss +link path=usr/share/man/man3gss/gss_get_mic.3gss target=./gss_get_mic.mit.3gss \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/gss_get_mic.3gss \ + path=usr/share/man/man3gss/gss_get_mic.mit.3gss +link path=usr/share/man/man3gss/gss_import_name.3gss \ + target=./gss_import_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_import_name.3gss \ + path=usr/share/man/man3gss/gss_import_name.mit.3gss +link path=usr/share/man/man3gss/gss_import_sec_context.3gss \ + target=./gss_import_sec_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_import_sec_context.3gss \ + path=usr/share/man/man3gss/gss_import_sec_context.mit.3gss +link path=usr/share/man/man3gss/gss_indicate_mechs.3gss \ + target=./gss_indicate_mechs.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_indicate_mechs.3gss \ + path=usr/share/man/man3gss/gss_indicate_mechs.mit.3gss +link path=usr/share/man/man3gss/gss_init_sec_context.3gss \ + target=./gss_init_sec_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_init_sec_context.3gss \ + path=usr/share/man/man3gss/gss_init_sec_context.mit.3gss +link path=usr/share/man/man3gss/gss_inquire_context.3gss \ + target=./gss_inquire_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_inquire_context.3gss \ + path=usr/share/man/man3gss/gss_inquire_context.mit.3gss +link path=usr/share/man/man3gss/gss_inquire_cred.3gss \ + target=./gss_inquire_cred.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_inquire_cred.3gss \ + path=usr/share/man/man3gss/gss_inquire_cred.mit.3gss +link path=usr/share/man/man3gss/gss_inquire_cred_by_mech.3gss \ + target=./gss_inquire_cred_by_mech.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_inquire_cred_by_mech.3gss \ + path=usr/share/man/man3gss/gss_inquire_cred_by_mech.mit.3gss +link path=usr/share/man/man3gss/gss_inquire_mechs_for_name.3gss \ + target=./gss_inquire_mechs_for_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_inquire_mechs_for_name.3gss \ + path=usr/share/man/man3gss/gss_inquire_mechs_for_name.mit.3gss +link path=usr/share/man/man3gss/gss_inquire_names_for_mech.3gss \ + target=./gss_inquire_names_for_mech.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_inquire_names_for_mech.3gss \ + path=usr/share/man/man3gss/gss_inquire_names_for_mech.mit.3gss +link path=usr/share/man/man3gss/gss_oid_to_str.3gss \ + target=./gss_oid_to_str.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_oid_to_str.3gss \ + path=usr/share/man/man3gss/gss_oid_to_str.mit.3gss +link path=usr/share/man/man3gss/gss_process_context_token.3gss \ + target=./gss_process_context_token.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_process_context_token.3gss \ + path=usr/share/man/man3gss/gss_process_context_token.mit.3gss +link path=usr/share/man/man3gss/gss_release_buffer.3gss \ + target=./gss_release_buffer.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_release_buffer.3gss \ + path=usr/share/man/man3gss/gss_release_buffer.mit.3gss +link path=usr/share/man/man3gss/gss_release_cred.3gss \ + target=./gss_release_cred.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_release_cred.3gss \ + path=usr/share/man/man3gss/gss_release_cred.mit.3gss +link path=usr/share/man/man3gss/gss_release_name.3gss \ + target=./gss_release_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_release_name.3gss \ + path=usr/share/man/man3gss/gss_release_name.mit.3gss +link path=usr/share/man/man3gss/gss_release_oid.3gss \ + target=./gss_release_oid.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_release_oid.3gss \ + path=usr/share/man/man3gss/gss_release_oid.mit.3gss +link path=usr/share/man/man3gss/gss_release_oid_set.3gss \ + target=./gss_release_oid_set.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_release_oid_set.3gss \ + path=usr/share/man/man3gss/gss_release_oid_set.mit.3gss +link path=usr/share/man/man3gss/gss_store_cred.3gss \ + target=./gss_store_cred.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_store_cred.3gss \ + path=usr/share/man/man3gss/gss_store_cred.mit.3gss +link path=usr/share/man/man3gss/gss_str_to_oid.3gss \ + target=./gss_str_to_oid.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_str_to_oid.3gss \ + path=usr/share/man/man3gss/gss_str_to_oid.mit.3gss +link path=usr/share/man/man3gss/gss_test_oid_set_member.3gss \ + target=./gss_test_oid_set_member.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_test_oid_set_member.3gss \ + path=usr/share/man/man3gss/gss_test_oid_set_member.mit.3gss +link path=usr/share/man/man3gss/gss_unwrap.3gss target=./gss_unwrap.mit.3gss \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/gss_unwrap.3gss path=usr/share/man/man3gss/gss_unwrap.mit.3gss +link path=usr/share/man/man3gss/gss_verify_mic.3gss \ + target=./gss_verify_mic.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_verify_mic.3gss \ + path=usr/share/man/man3gss/gss_verify_mic.mit.3gss +link path=usr/share/man/man3gss/gss_wrap.3gss target=./gss_wrap.mit.3gss \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/gss_wrap.3gss path=usr/share/man/man3gss/gss_wrap.mit.3gss +link path=usr/share/man/man3gss/gss_wrap_size_limit.3gss \ + target=./gss_wrap_size_limit.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_wrap_size_limit.3gss \ + path=usr/share/man/man3gss/gss_wrap_size_limit.mit.3gss +file Solaris/man/libgss.3lib path=usr/share/man/man3lib/libgss.mit.3lib +file Solaris/man/libkrb5.3lib path=usr/share/man/man3lib/libkrb5.mit.3lib +file path=usr/share/man/man5/.k5identity.5 +file path=usr/share/man/man5/.k5login.5 +link path=usr/share/man/man5/gss_auth_rules.5 target=./gss_auth_rules.mit.5 \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/gss_auth_rules.5 path=usr/share/man/man5/gss_auth_rules.mit.5 +file path=usr/share/man/man5/k5identity.5 +file path=usr/share/man/man5/k5login.5 +link path=usr/share/man/man5/kerberos.5 target=./kerberos.mit.5 \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/kerberos.5 path=usr/share/man/man5/kerberos.mit.5 +file path=usr/share/man/man5/krb5.conf.5 +link path=usr/share/man/man5/krb5envvar.5 target=./krb5envvar.mit.5 \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/krb5envvar.5 path=usr/share/man/man5/krb5envvar.mit.5 +link path=usr/share/man/zh_CN.UTF-8/man5/kerberos.5 target=./kerberos.mit.5 \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/zh_CN.UTF-8/kerberos.5 \ + path=usr/share/man/zh_CN.UTF-8/man5/kerberos.mit.5 +link path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.5 \ + target=./krb5envvar.mit.5 mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/zh_CN.UTF-8/krb5envvar.5 \ + path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.mit.5 +dir path=var/krb5/rcache group=sys mode=1777 +dir path=var/krb5/rcache/root group=sys mode=0700 revert-tag=clone-archive=* +license krb5.license license="BSD, BSD-like (KerberosV5)" diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/010-qop.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/010-qop.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,93 @@ +# +# This patch patches in g_utils.c with /etc/gss/qop related interfaces. +# +# These functions were removed from MIT code, but are referenced by Solaris +# rpcsec_gss wrappers. +# +# This is a Solaris specific patch not intended for upstream contribution. +# Patch source: in-house +# +diff -ur old/src/lib/gssapi/libgssapi_krb5.exports new/src/lib/gssapi/libgssapi_krb5.exports +--- old/src/lib/gssapi/libgssapi_krb5.exports 2014-08-11 02:19:59.000000000 -0700 ++++ new/src/lib/gssapi/libgssapi_krb5.exports 2014-09-05 08:22:03.879817432 -0700 +@@ -36,6 +36,9 @@ + GSS_C_MA_PFS + GSS_C_MA_COMPRESS + GSS_C_MA_CTX_TRANS ++gssint_qop_to_num ++gssint_num_to_qop ++gssint_get_mech_info + gss_accept_sec_context + gss_acquire_cred + gss_acquire_cred_with_password +Only in new/src/lib/gssapi: libgssapi_krb5.exports.orig +Only in new/src/lib/gssapi: libgssapi_krb5.exports.rej +diff -ur old/src/lib/gssapi/mechglue/Makefile.in new/src/lib/gssapi/mechglue/Makefile.in +--- old/src/lib/gssapi/mechglue/Makefile.in 2014-08-11 02:19:59.000000000 -0700 ++++ new/src/lib/gssapi/mechglue/Makefile.in 2014-09-05 08:20:06.987333578 -0700 +@@ -66,6 +66,7 @@ + $(srcdir)/g_sign.c \ + $(srcdir)/g_store_cred.c \ + $(srcdir)/g_unseal.c \ ++ $(srcdir)/g_utils.c \ + $(srcdir)/g_unwrap_aead.c \ + $(srcdir)/g_unwrap_iov.c \ + $(srcdir)/g_verify.c \ +@@ -130,6 +131,7 @@ + $(OUTPRE)g_sign.$(OBJEXT) \ + $(OUTPRE)g_store_cred.$(OBJEXT) \ + $(OUTPRE)g_unseal.$(OBJEXT) \ ++ $(OUTPRE)g_utils.$(OBJEXT) \ + $(OUTPRE)g_unwrap_aead.$(OBJEXT) \ + $(OUTPRE)g_unwrap_iov.$(OBJEXT) \ + $(OUTPRE)g_verify.$(OBJEXT) \ +@@ -194,6 +196,7 @@ + g_sign.o \ + g_store_cred.o \ + g_unseal.o \ ++ g_utils.o \ + g_unwrap_aead.o \ + g_unwrap_iov.o \ + g_verify.o \ +diff -ur old/src/lib/gssapi/mechglue/mglueP.h new/src/lib/gssapi/mechglue/mglueP.h +--- old/src/lib/gssapi/mechglue/mglueP.h 2014-08-11 02:19:59.000000000 -0700 ++++ new/src/lib/gssapi/mechglue/mglueP.h 2014-09-05 08:20:06.987586085 -0700 +@@ -66,6 +66,38 @@ + } gss_union_cred_desc, *gss_union_cred_t; + + /* ++ * qop configuration file handling. ++ */ ++#define MAX_QOP_NUM_PAIRS 128 ++#define MAX_QOPS_PER_MECH 128 ++ ++typedef struct _qop_num { ++ char *qop; ++ OM_uint32 num; ++ char *mech; ++} qop_num; ++ ++OM_uint32 ++gssint_qop_to_num( ++ char *qop, /* input qop string */ ++ char *mech, /* input mech string */ ++ OM_uint32 *num /* output qop num */ ++); ++ ++OM_uint32 ++gssint_num_to_qop( ++ char *mech, /* input mech string */ ++ OM_uint32 num, /* input qop num */ ++ char **qop /* output qop name */ ++); ++ ++OM_uint32 ++gssint_get_mech_info( ++ char *mech, /* input mech string */ ++ char **qops /* buffer for return qops */ ++); ++ ++/* + * Rudimentary pointer validation macro to check whether the + * "loopback" field of an opaque struct points back to itself. This + * field also catches some programming errors where an opaque pointer diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/011-libgss_hack.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/011-libgss_hack.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,194 @@ +# +# This patches the following interfaces back in MIT sources: +# gssint_mech_to_oid +# gssint_oid_to_mech +# gssint_get_mechanisms +# gssint_get_kmodName +# (These functions were originally Sun donated, but later removed.) +# +# This patch is not inteded for upstream contribution. +# Patch source: in-house +# +diff -ur old/src/lib/gssapi/mechglue/g_initialize.c new/src/lib/gssapi/mechglue/g_initialize.c +--- old/src/lib/gssapi/mechglue/g_initialize.c 2014-08-06 19:07:58.000000000 +0200 ++++ new/src/lib/gssapi/mechglue/g_initialize.c 2014-08-06 19:28:42.310006486 +0200 +@@ -444,6 +444,145 @@ + } + + /* ++ * given a mechanism string return the mechanism oid ++ */ ++OM_uint32 ++gssint_mech_to_oid(const char *mechStr, gss_OID* oid) ++{ ++ gss_mech_info aMech; ++ ++ if (oid == NULL) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ *oid = GSS_C_NULL_OID; ++ ++ if (gssint_mechglue_initialize_library() != 0) ++ return (GSS_S_FAILURE); ++ ++ if ((mechStr == NULL) || (strlen(mechStr) == 0) || ++ (strcasecmp(mechStr, M_DEFAULT) == 0)) ++ return (GSS_S_COMPLETE); ++ ++ /* ensure we have fresh data */ ++ k5_mutex_lock(&g_mechListLock); ++ updateMechList(); ++ (void) k5_mutex_unlock(&g_mechListLock); ++ ++ aMech = g_mechList; ++ ++ /* no lock required - only looking at fields that are not updated */ ++ while (aMech != NULL) { ++ if ((aMech->mechNameStr) && ++ strcmp(aMech->mechNameStr, mechStr) == 0) { ++ *oid = aMech->mech_type; ++ return (GSS_S_COMPLETE); ++ } ++ aMech = aMech->next; ++ } ++ return (GSS_S_FAILURE); ++} /* gssint_mech_to_oid */ ++ ++ ++/* ++ * Given the mechanism oid, return the readable mechanism name ++ * associated with that oid from the mech config file ++ * (/etc/gss/mech). ++ */ ++const char * ++gssint_oid_to_mech(const gss_OID oid) ++{ ++ gss_mech_info aMech; ++ ++ if (oid == GSS_C_NULL_OID) ++ return (M_DEFAULT); ++ ++ if (gssint_mechglue_initialize_library() != 0) ++ return (NULL); ++ ++ /* ensure we have fresh data */ ++ k5_mutex_lock(&g_mechListLock); ++ updateMechList(); ++ aMech = searchMechList(oid); ++ (void) k5_mutex_unlock(&g_mechListLock); ++ ++ if (aMech == NULL) ++ return (NULL); ++ ++ return (aMech->mechNameStr); ++} /* gssint_oid_to_mech */ ++ ++ ++/* ++ * return a list of mechanism strings supported ++ * upon return the array is terminated with a NULL entry ++ */ ++OM_uint32 ++gssint_get_mechanisms(char *mechArray[], int arrayLen) ++{ ++ gss_mech_info aMech; ++ int i; ++ ++ if (mechArray == NULL || arrayLen < 1) ++ return (GSS_S_CALL_INACCESSIBLE_WRITE); ++ ++ if (gssint_mechglue_initialize_library() != 0) ++ return (GSS_S_FAILURE); ++ ++ /* ensure we have fresh data */ ++ k5_mutex_lock(&g_mechListLock); ++ updateMechList(); ++ (void) k5_mutex_unlock(&g_mechListLock); ++ ++ aMech = g_mechList; ++ ++ /* no lock required - only looking at fields that are not updated */ ++ for (i = 1; i < arrayLen; i++) { ++ if (aMech != NULL) { ++ *mechArray = aMech->mechNameStr; ++ mechArray++; ++ aMech = aMech->next; ++ } else ++ break; ++ } ++ *mechArray = NULL; ++ return (GSS_S_COMPLETE); ++} /* gss_get_mechanisms */ ++ ++/* ++ * this function has been added for use by gssd. ++ * It will return the kernel module name for a specified mechanism. ++ * caller is responsible for freeing the memory ++ */ ++char * ++gssint_get_kmodName(oid) ++const gss_OID oid; ++{ ++ gss_mech_info aMech; ++ char *kmodName = NULL; ++ ++ /* make sure we have fresh data */ ++ (void) k5_mutex_lock(&g_mechListLock); ++ updateMechList(); ++ (void) k5_mutex_unlock(&g_mechListLock); ++ ++ /* searching the list does not require a lock */ ++ if ((aMech = searchMechList(oid)) == NULL || aMech->kmodName == NULL) { ++ return (NULL); ++ } ++ ++ /* ++ * need to obtain a lock on this structure in case someone else ++ * will try to update it during the copy ++ */ ++ (void) k5_mutex_lock(&g_mechListLock); ++ if (aMech->kmodName) ++ kmodName = strdup(aMech->kmodName); ++ (void) k5_mutex_unlock(&g_mechListLock); ++ ++ return (kmodName); ++} /* gssint_get_kmodName */ ++ ++/* + * determines if the mechList needs to be updated from file + * and performs the update. + * this functions must be called with a lock of g_mechListLock +Only in new/src/lib/gssapi/mechglue: g_initialize.c.orig +diff -ur old/src/lib/gssapi/mechglue/mglueP.h new/src/lib/gssapi/mechglue/mglueP.h +--- old/src/lib/gssapi/mechglue/mglueP.h 2014-08-06 19:07:58.000000000 +0200 ++++ new/src/lib/gssapi/mechglue/mglueP.h 2014-08-06 19:25:49.488232250 +0200 +@@ -793,6 +793,28 @@ + * Sun extensions to GSS-API v2 + */ + ++OM_uint32 ++gssint_mech_to_oid( ++ const char *mech, /* mechanism string name */ ++ gss_OID *oid /* mechanism oid */ ++); ++ ++const char * ++gssint_oid_to_mech( ++ const gss_OID oid /* mechanism oid */ ++); ++ ++OM_uint32 ++gssint_get_mechanisms( ++ char *mechArray[], /* array to populate with mechs */ ++ int arrayLen /* length of passed in array */ ++); ++ ++char * ++gssint_get_kmodName( ++ const gss_OID oid /* mechanism oid */ ++); ++ + int + gssint_get_der_length( + unsigned char **, /* buf */ +Only in new/src/lib/gssapi/mechglue: mglueP.h.orig diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/012-libgss_filter.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/012-libgss_filter.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,47 @@ +# +# This patch handles building libgss_stubs.o for libgss filter library, +# which contains the following wrappers: +# __gss_mech_to_oid -> gssint_mech_to_oid +# __gss_oid_to_mech -> gssint_oid_to_mech +# __gss_get_mechanisms -> gssint_get_mechanisms +# __gss_get_kmodName -> gssint_get_kmodName +# __gss_get_mechanism -> gssint_get_mechanism +# __gss_get_modOptions -> gssint_get_modOptions +# __gss_userok -> gss_authorize_localname +# +# This patch is for backward compatibility with applications linked against +# Solaris Kerberos libraries and is not intended for upstream contribution. +# Patch source: in-house +# +diff -ru old/src/lib/gssapi/mechglue/Makefile.in new/src/lib/gssapi/mechglue/Makefile.in +--- old/src/lib/gssapi/mechglue/Makefile.in 2013-12-06 06:13:39.120432302 -0800 ++++ new/src/lib/gssapi/mechglue/Makefile.in 2013-12-19 03:23:30.589779644 -0800 +@@ -72,7 +72,8 @@ + $(srcdir)/g_verify.c \ + $(srcdir)/g_wrap_aead.c \ + $(srcdir)/g_wrap_iov.c \ +- $(srcdir)/gssd_pname_to_uid.c ++ $(srcdir)/gssd_pname_to_uid.c \ ++ $(srcdir)/libgss_stubs.c + + OBJS = \ + $(OUTPRE)g_accept_sec_context.$(OBJEXT) \ +@@ -137,7 +138,8 @@ + $(OUTPRE)g_verify.$(OBJEXT) \ + $(OUTPRE)g_wrap_aead.$(OBJEXT) \ + $(OUTPRE)g_wrap_iov.$(OBJEXT) \ +- $(OUTPRE)gssd_pname_to_uid.$(OBJEXT) ++ $(OUTPRE)gssd_pname_to_uid.$(OBJEXT) \ ++ $(OUTPRE)libgss_stubs.$(OBJEXT) + + STLIBOBJS = \ + g_accept_sec_context.o \ +@@ -209,7 +211,7 @@ + + $(OBJS): $(EXPORTED_HEADERS) + +-all-unix:: all-libobjs ++all-unix:: all-libobjs libgss_stubs.o + + ##DOS##LIBOBJS = $(OBJS) + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/014-init_ccache.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/014-init_ccache.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,28 @@ +# +# copy_initiator_creds fails, if ccache file is not present. +# This patch in that case initializes the ccache to create the missing file +# and retries credentials copy. +# This was required for SunSSH credential delegation code. +# We will try to push the patch upstream. +# Patch source: in-house +# +diff -ur old/src/lib/gssapi/krb5/store_cred.c new/src/lib/gssapi/krb5/store_cred.c +--- old/src/lib/gssapi/krb5/store_cred.c 2014-01-21 01:38:26.331798328 -0800 ++++ new/src/lib/gssapi/krb5/store_cred.c 2014-01-21 02:31:35.858882999 -0800 +@@ -145,6 +145,16 @@ + } + + code = krb5_cc_copy_creds(context, kcred->ccache, ccache); ++ if (code == KRB5_FCC_NOFILE) { ++ /* default ccache file does not exists => initialize ccache */ ++ code = krb5_cc_initialize(context, ccache, kcred->name->princ); ++ if (code != 0) { ++ *minor_status = code; ++ major_status = GSS_S_CRED_UNAVAIL; ++ goto cleanup; ++ } ++ code = krb5_cc_copy_creds(context, kcred->ccache, ccache); ++ } + if (code != 0) { + *minor_status = code; + major_status = GSS_S_FAILURE; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/016-solaris_paths.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/016-solaris_paths.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,103 @@ +# +# Solaris specific paths +# - configuration in /etc/krb5/krb5.conf +# - database in /var/krb5 +# - rcache in /var/krb5/rcache +# +# The patch is Solaris specific and not intended for upstream contribution. +# Note, that MIT may end up taking the change for DEF_SERVICE_PASSWD_FILE below +# so that may require modification of this patch in a future update. +# Patch source: in-house +# +diff -pur old/src/include/osconf.hin new/src/include/osconf.hin +--- old/src/include/osconf.hin ++++ new/src/include/osconf.hin +@@ -40,6 +40,8 @@ + # include + #endif + ++#define KRB5_DIR "/etc/krb5" ++ + #if defined(_WIN32) + #define DEFAULT_PROFILE_FILENAME "krb5.ini" + #else /* !_WINDOWS */ +@@ -50,7 +52,7 @@ + #define KDB5_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosDatabasePlugins" + #define KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosAuthDataPlugins" + #else +-#define DEFAULT_SECURE_PROFILE_PATH "/etc/krb5.conf@SYSCONFCONF" ++#define DEFAULT_SECURE_PROFILE_PATH KRB5_DIR "/krb5.conf" + #define DEFAULT_PROFILE_PATH DEFAULT_SECURE_PROFILE_PATH + #endif + #endif /* _WINDOWS */ +@@ -58,7 +60,7 @@ + #define DEFAULT_PLUGIN_BASE_DIR "@LIBDIR/krb5/plugins" + #define PLUGIN_EXT "@DYNOBJEXT" + +-#define KDC_DIR "@LOCALSTATEDIR/krb5kdc" ++#define KDC_DIR "@LOCALSTATEDIR/krb5" + #define KDC_RUN_DIR "@RUNSTATEDIR/krb5kdc" + #define DEFAULT_KDB_FILE KDC_DIR "/principal" + #define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5." +@@ -67,7 +69,7 @@ + #define DEFAULT_ADMIN_ACL KDC_DIR "/kadm_old.acl" + + /* Location of KDC profile */ +-#define DEFAULT_KDC_PROFILE KDC_DIR "/kdc.conf" ++#define DEFAULT_KDC_PROFILE KRB5_DIR "/kdc.conf" + #define KDC_PROFILE_ENV "KRB5_KDC_PROFILE" + + #if TARGET_OS_MAC +@@ -95,8 +97,8 @@ + /* + * Defaults for the KADM5 admin system. + */ +-#define DEFAULT_KADM5_KEYTAB KDC_DIR "/kadm5.keytab" +-#define DEFAULT_KADM5_ACL_FILE KDC_DIR "/kadm5.acl" ++#define DEFAULT_KADM5_KEYTAB KRB5_DIR "/kadm5.keytab" ++#define DEFAULT_KADM5_ACL_FILE KRB5_DIR "/kadm5.acl" + #define DEFAULT_KADM5_PORT 749 /* assigned by IANA */ + + #define KRB5_DEFAULT_SUPPORTED_ENCTYPES \ +@@ -106,7 +108,7 @@ + + #define MAX_DGRAM_SIZE 65536 + +-#define RCTMPDIR "@KRB5RCTMPDIR" /* directory to store replay caches */ ++#define RCTMPDIR KDC_DIR "/rcache" /* directory to store replay caches */ + + #define KRB5_PATH_TTY "/dev/tty" + #define KRB5_PATH_LOGIN "@SBINDIR/login.krb5" +@@ -123,7 +125,7 @@ + #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util" + #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop" + #define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE +-#define KPROPD_ACL_FILE KDC_DIR "/kpropd.acl" ++#define KPROPD_ACL_FILE KRB5_DIR "/kpropd.acl" + + /* + * GSS mechglue +diff -pur old/src/kadmin/cli/k5srvutil.sh new/src/kadmin/cli/k5srvutil.sh +--- old/src/kadmin/cli/k5srvutil.sh ++++ new/src/kadmin/cli/k5srvutil.sh +@@ -73,7 +73,7 @@ delete_keys() { + } + + +-keytab=/etc/krb5.keytab ++keytab=/etc/krb5/krb5.keytab + interactive=0 + keysalts="" + +diff -r -u krb5-1.13.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h krb5-1.13.2.srv-passwd-file/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h +--- krb5-1.13.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h ++++ krb5-1.13.2.srv-passwd-file/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h +@@ -32,7 +32,7 @@ + #define MAX_LEN 1024 + #define MAX_SERVICE_PASSWD_LEN 256 + +-#define DEF_SERVICE_PASSWD_FILE "/usr/local/var/service_passwd" ++#define DEF_SERVICE_PASSWD_FILE KDC_DIR "/service_passwd" + + extern int tohex(krb5_data, krb5_data *); + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/017-use-openldap-lib.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/017-use-openldap-lib.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,40 @@ +# +# Temporary fix, to use OpenLDAP library, instead of legacy Mozilla LDAP +# Hardcodes -lldap_r-2.4 in configure script, instead of -lldap. +# Necessary to build current krb5, otherwise: +# kdb_ldap_conn.c, line 142: undefined symbol: LDAP_SASL_QUIET +# +# Reported upstream: +# http://krbdev.mit.edu/rt/Ticket/Display.html?id=8261 +# Patch source: in-house +# +diff -ur old/src/configure.in new/src/configure.in +--- old/src/configure.in 2013-11-04 16:55:08.000000000 -0800 ++++ new/src/configure.in 2014-05-22 04:28:42.013736461 -0700 +@@ -1118,20 +1118,20 @@ + ldap_lib="" + if test -n "$OPENLDAP_PLUGIN"; then + AC_CHECK_HEADERS(ldap.h lber.h, :, [AC_MSG_ERROR($ac_header not found)]) +- AC_CHECK_LIB(ldap, ldap_init, :, [AC_MSG_ERROR(libldap not found or missing ldap_init)]) ++ AC_CHECK_LIB(ldap_r-2.4, ldap_init, :, [AC_MSG_ERROR(libldap not found or missing ldap_init)]) + old_LIBS="$LIBS" +- LIBS="$LIBS -lldap" ++ LIBS="$LIBS -lldap_r-2.4" + AC_CHECK_FUNCS(ldap_initialize ldap_url_parse_nodn ldap_unbind_ext_s ldap_str2dn ldap_explode_dn) + LIBS="$old_LIBS" + + BER_OKAY=0 +- AC_CHECK_LIB(ldap, ber_init, [BER_OKAY=1]) ++ AC_CHECK_LIB(ldap_r-2.4, ber_init, [BER_OKAY=1]) + if test "$BER_OKAY" = "1"; then +- LDAP_LIBS='-lldap' ++ LDAP_LIBS='-lldap_r-2.4' + else +- AC_CHECK_LIB(lber, ber_init, [BER_OKAY=1], [AC_MSG_WARN([libber not found])]) ++ AC_CHECK_LIB(lber-2.4, ber_init, [BER_OKAY=1], [AC_MSG_WARN([libber not found])]) + if test "$BER_OKAY" = "1"; then +- LDAP_LIBS='-lldap -llber' ++ LDAP_LIBS='-lldap_r-2.4 -llber-2.4' + else + AC_ERROR("BER library missing - cannot build LDAP database module") + fi diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/018-krb5_keyblock-ABI.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/018-krb5_keyblock-ABI.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,25 @@ +# +# This provides padding for the krb5_keyblock struct so its size will be the +# same as it was in ON krb to avoid ABI issues that may be caused by the +# difference. This difference was a result of modifying ON krb to use the +# Crytpo Framework/libpkcs11 API as the crypto provider. This patch is not +# intended for upstream contribution to MIT. +# Patch source: in-house +# + +--- original/src/include/krb5/krb5.hin 2014-08-11 04:19:59.000000000 -0500 ++++ krb5-1.13.mockup/src/include/krb5/krb5.hin 2014-08-15 14:56:23.511193392 -0500 +@@ -347,6 +347,13 @@ + krb5_enctype enctype; + unsigned int length; + krb5_octet *contents; ++ /* ++ * Solaris Kerberos: for backwards ABI compatibility. The following fields ++ * are not used by the MIT code: ++ */ ++ int *dk_list; /* krb5_dk_node */ ++ unsigned long hKey; /* CK_OBJECT_HANDLE */ ++ int pid; + } krb5_keyblock; + + struct krb5_key_st; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/019-log-rotation.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/019-log-rotation.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,274 @@ +# +# This patch is to provide internal log rotation functionality for both +# kadmind & krb5kdc daemons. The functionality is defined in krb5.conf +# man page via 'admin_server_rotate' & 'kdc_rotate' parameters. +# +# Following two relations can be specified: +# +# period = delta_time +# versions = number +# +# NOTE: +# +# MIT Kerberos Consortium did not accept new features for MIT kerberos 1.13 +# release. For that matter, we would like to try to push this log rotation +# functionality in later MIT kerberos release, 1.14 or later. +# Patch source: in-house +# +--- ORIGINAL/src/lib/kadm5/logger.c 2014-08-11 02:19:59.000000000 -0700 ++++ krb5-1.13.mockup/src/lib/kadm5/logger.c 2014-09-11 17:13:22.608854008 -0700 +@@ -115,6 +115,13 @@ + struct log_file { + FILE *lf_filep; + char *lf_fname; ++ /* Solaris Kerberos */ ++ char *lf_fopen_mode; /* "a+" or "w" */ ++#define K_LOG_DEF_FILE_ROTATE_PERIOD -1 /* never */ ++#define K_LOG_DEF_FILE_ROTATE_VERSIONS 0 /* no versions */ ++ time_t lf_rotate_period; ++ time_t lf_last_rotated; ++ int lf_rotate_versions; + } log_file; + struct log_syslog { + int ls_facility; +@@ -128,6 +135,11 @@ + }; + #define lfu_filep log_union.log_file.lf_filep + #define lfu_fname log_union.log_file.lf_fname ++/* Solaris Kerberos */ ++#define lfu_fopen_mode log_union.log_file.lf_fopen_mode ++#define lfu_rotate_period log_union.log_file.lf_rotate_period ++#define lfu_last_rotated log_union.log_file.lf_last_rotated ++#define lfu_rotate_versions log_union.log_file.lf_rotate_versions + #define lsu_facility log_union.log_syslog.ls_facility + #define lsu_severity log_union.log_syslog.ls_severity + #define ldu_filep log_union.log_device.ld_filep +@@ -161,6 +173,133 @@ + -1) + #define DEVICE_CLOSE(d) fclose(d) + ++/* ++ * Solaris Kerberos ++ * klog_rotate() - roate a log file if we have specified rotation ++ * parameters in krb5.conf. ++ */ ++static void ++klog_rotate(struct log_entry *le) ++{ ++ time_t t; ++ int i; ++ char *name_buf1; ++ char *name_buf2; ++ char *old_name; ++ char *new_name; ++ char *tmp; ++ FILE *fp; ++ int num_vers; ++ mode_t old_umask; ++ ++ ++ /* ++ * By default we don't rotate. ++ */ ++ if (le->lfu_rotate_period == K_LOG_DEF_FILE_ROTATE_PERIOD) ++ return; ++ ++ t = time(0); ++ ++ if (t >= le->lfu_last_rotated + le->lfu_rotate_period) { ++ /* ++ * The N log file versions will be renamed X.N-1 X.N-2, ... X.0. ++ * So the allocate file name buffers that can the version ++ * number extensions. ++ * 32 extra bytes is plenty. ++ */ ++ name_buf1 = malloc(strlen(le->lfu_fname) + 32); ++ ++ if (name_buf1 == NULL) ++ return; ++ ++ name_buf2 = malloc(strlen(le->lfu_fname) + 32); ++ ++ if (name_buf2 == NULL) { ++ free(name_buf1); ++ return; ++ } ++ ++ old_name = name_buf1; ++ new_name = name_buf2; ++ ++ /* ++ * If there N versions, then the first one has file extension ++ * of N-1. ++ */ ++ (void) sprintf(new_name, "%s.%d", le->lfu_fname, ++ le->lfu_rotate_versions - 1); ++ ++ /* ++ * Rename file.N-2 to file.N-1, file.N-3 to file.N-2, ... ++ * file.0 to file.1 ++ */ ++ for (i = le->lfu_rotate_versions - 1; i > 0; i--) { ++ (void) sprintf(old_name, "%s.%d", le->lfu_fname, i - 1); ++ (void) rename(old_name, new_name); ++ ++ /* ++ * swap old name and new name. This way, ++ * on the next iteration, new_name.X ++ * becomes new_name.X-1. ++ */ ++ tmp = old_name; ++ old_name = new_name; ++ new_name = tmp; ++ } ++ old_name = le->lfu_fname; ++ ++ (void) rename(old_name, new_name); ++ ++ /* ++ * Even though we don't know yet if the fopen() ++ * of the log file will succeed, we mark the log ++ * as rotated. This is so we don't repeatably ++ * rotate file.N-2 to file.N-1 ... etc without ++ * waiting for the rotate period to elapse. ++ */ ++ le->lfu_last_rotated = t; ++ ++ /* ++ * Default log file creation mode should be read-only ++ * by owner(root), but the admin can override with ++ * chmod(1) if desired. ++ */ ++ ++ old_umask = umask(077); ++ fp = fopen(old_name, le->lfu_fopen_mode); ++ ++ umask(old_umask); ++ ++ if (fp != NULL) { ++ ++ (void) fclose(le->lfu_filep); ++ le->lfu_filep = fp; ++ ++ /* ++ * If the version parameter in krb5.conf was ++ * 0, then we take this to mean that rotating the ++ * log file will cause us to dispose of the ++ * old one, and created a new one. We have just ++ * renamed the old one to file.-1, so remove it. ++ */ ++ if (le->lfu_rotate_versions <= 0) ++ (void) unlink(new_name); ++ ++ } else { ++ fprintf(stderr, ++ _("During rotate, couldn't open log file %s: %s\n"), ++ old_name, error_message(errno)); ++ /* ++ * Put it back. ++ */ ++ (void) rename(new_name, old_name); ++ } ++ free(name_buf1); ++ free(name_buf2); ++ } ++} ++ + + /* + * klog_com_err_proc() - Handle com_err(3) messages as specified by the +@@ -276,6 +415,8 @@ + for (lindex = 0; lindex < log_control.log_nentries; lindex++) { + switch (log_control.log_entries[lindex].log_type) { + case K_LOG_FILE: ++ /* Solaris Kerberos */ ++ klog_rotate(&log_control.log_entries[lindex]); + case K_LOG_STDERR: + /* + * Files/standard error. +@@ -360,6 +501,7 @@ + int error; + int do_openlog, log_facility; + FILE *f; ++ mode_t old_umask; + + /* Initialize */ + do_openlog = 0; +@@ -423,12 +565,66 @@ + * Check for append/overwrite, then open the file. + */ + if (cp[4] == ':' || cp[4] == '=') { +- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); ++ /* Solaris Kerberos */ ++ log_control.log_entries[i].lfu_fopen_mode = ++ (cp[4] == ':') ? "a" : "w"; ++ old_umask = umask(077); ++ f = fopen(&cp[5], ++ log_control.log_entries[i].lfu_fopen_mode); ++ umask(old_umask); + if (f) { +- set_cloexec_file(f); ++ char rotate_kw[128]; + log_control.log_entries[i].lfu_filep = f; + log_control.log_entries[i].log_type = K_LOG_FILE; + log_control.log_entries[i].lfu_fname = &cp[5]; ++ log_control.log_entries[i].lfu_rotate_period = ++ K_LOG_DEF_FILE_ROTATE_PERIOD; ++ log_control.log_entries[i].lfu_rotate_versions = ++ K_LOG_DEF_FILE_ROTATE_VERSIONS; ++ log_control.log_entries[i].lfu_last_rotated = ++ time(0); ++ ++ /* ++ * Now parse for ename_"rotate" = { ++ * period = XXX ++ * versions = 10 ++ * } ++ */ ++ if (strlen(ename) + strlen("_rotate") < ++ sizeof (rotate_kw)) { ++ ++ char *time; ++ krb5_deltat dt; ++ int vers; ++ ++ strcpy(rotate_kw, ename); ++ strcat(rotate_kw, "_rotate"); ++ ++ if (!profile_get_string(kcontext->profile, ++ "logging", rotate_kw, ++ "period", NULL, ++ &time)) { ++ ++ if (time != NULL) { ++ if (!krb5_string_to_deltat(time, ++ &dt)) { ++ log_control.log_entries[i].lfu_rotate_period = ++ (time_t) dt; ++ } ++ free(time); ++ } ++ } ++ ++ if (!profile_get_integer( ++ kcontext->profile, ++ "logging", rotate_kw, ++ "versions", ++ K_LOG_DEF_FILE_ROTATE_VERSIONS, ++ &vers)) { ++ log_control.log_entries[i].lfu_rotate_versions = vers; ++ } ++ ++ } + } else { + fprintf(stderr,"Couldn't open log file %s: %s\n", + &cp[5], error_message(errno)); +@@ -880,6 +1076,8 @@ + for (lindex = 0; lindex < log_control.log_nentries; lindex++) { + switch (log_control.log_entries[lindex].log_type) { + case K_LOG_FILE: ++ /* Solaris Kerberos */ ++ klog_rotate(&log_control.log_entries[lindex]); + case K_LOG_STDERR: + /* + * Files/standard error. diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/020-libkrb5-makefile.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/020-libkrb5-makefile.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,100 @@ +# +# This patch provides Solaris specific private interfaces to satisfy run time +# dependencies for Kerberos related components in ON: +# +# kt_* *contracted with SMB team* +# k5_profile_* *contracted with SMB team* +# mit_des_fixup_key_parity +# krb5_os_init_context +# krb5_privacy_allowed +# profile_get_options_string +# profile_get_options_boolean +# +# NOTE: +# +# 1. This patch is Solaris specific. No need to contribute upstream. +# +# 2. prof_solaris.c has a change to fix profile_iterator issue +# which has not been integrated into current Solaris code yet. +# Patch source: in-house +# +--- ORIGINAL/src/lib/krb5/Makefile.in 2015-01-26 14:13:03.864453694 -0800 ++++ krb5-1.13/src/lib/krb5/Makefile.in 2015-01-28 16:00:48.949645899 -0800 +@@ -1,6 +1,6 @@ + mydir=lib$(S)krb5 + BUILDTOP=$(REL)..$(S).. +-LOCALINCLUDES = -I$(srcdir)/ccache -I$(srcdir)/keytab -I$(srcdir)/rcache -I$(srcdir)/os -I$(srcdir)/unicode ++LOCALINCLUDES = -I$(srcdir)/ccache -I$(srcdir)/keytab -I$(srcdir)/rcache -I$(srcdir)/os -I$(srcdir)/unicode -I$(srcdir)/../crypto/builtin/ + SUBDIRS= error_tables asn.1 ccache keytab krb os rcache unicode + WINSUBDIRS= $(SUBDIRS) posix + DEFINES=-DLOCALEDIR=\"$(KRB5_LOCALEDIR)\" +@@ -15,7 +15,8 @@ + + TST=if test -n "`cat DONE`" ; then + +-STLIBOBJS=krb5_libinit.o ++STLIBOBJS=krb5_libinit.o \ ++ prof_solaris.o + + LIBBASE=krb5 + LIBMAJOR=3 +@@ -47,10 +48,16 @@ + $(BUILDTOP)/util/profile/OBJS.ST + + OBJS=\ +- $(OUTPRE)krb5_libinit.$(OBJEXT) ++ $(OUTPRE)krb5_libinit.$(OBJEXT) \ ++ $(OUTPRE)missing_interfaces.$(OBJEXT) \ ++ $(OUTPRE)privacy_allowed.$(OBJEXT) \ ++ $(OUTPRE)prof_solaris.$(OBJEXT) + + SRCS=\ +- $(srcdir)/krb5_libinit.c ++ $(srcdir)/krb5_libinit.c \ ++ $(srcdir)/missing_interfaces.c \ ++ $(srcdir)/privacy_allowed.c \ ++ $(srcdir)/prof_solaris.c + + RELDIR=krb5 + SHLIB_EXPDEPS = \ +@@ -58,7 +65,7 @@ + $(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB) + SHLIB_EXPLIBS=-lk5crypto -lcom_err $(SUPPORT_LIB) @GEN_LIB@ $(LIBS) + +-all-unix:: all-liblinks ++all-unix:: all-liblinks missing_interfaces.o privacy_allowed.o + + all-windows:: + +--- ORIGINAL/src/lib/krb5/keytab/Makefile.in 2014-12-01 16:58:27.760415842 -0800 ++++ krb5-1.13/src/lib/krb5/keytab/Makefile.in 2014-12-01 16:59:34.026881356 -0800 +@@ -15,7 +15,8 @@ + kt_file.o \ + kt_memory.o \ + kt_srvtab.o \ +- read_servi.o ++ read_servi.o \ ++ kt_solaris.o + + OBJS= \ + $(OUTPRE)ktadd.$(OBJEXT) \ +@@ -27,7 +28,8 @@ + $(OUTPRE)kt_file.$(OBJEXT) \ + $(OUTPRE)kt_memory.$(OBJEXT) \ + $(OUTPRE)kt_srvtab.$(OBJEXT) \ +- $(OUTPRE)read_servi.$(OBJEXT) ++ $(OUTPRE)read_servi.$(OBJEXT) \ ++ $(OUTPRE)kt_solaris.$(OBJEXT) + + SRCS= \ + $(srcdir)/ktadd.c \ +@@ -39,7 +41,8 @@ + $(srcdir)/kt_file.c \ + $(srcdir)/kt_memory.c \ + $(srcdir)/kt_srvtab.c \ +- $(srcdir)/read_servi.c ++ $(srcdir)/read_servi.c \ ++ $(srcdir)/kt_solaris.c + + EXTRADEPSRCS= \ + $(srcdir)/t_keytab.c diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/021-dump-ok.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/021-dump-ok.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,31 @@ +# +# This patch allows a successful dump of the kdb for full-resyncs when kadmind +# prompts for a master key, rather than gleaning one from a stash file. +# +# Original BugID is: +# 15401154 SUNBT6564718-SOLARIS_11 kdb5_util dump doesn't create a "dump ok"... +# +# Note: An MIT ticket has been submitted: #8042. MIT will fix this differently +# than what is currently in this patch, but will not be fixed in the immediate +# future. Not having this fix will cause noticable regression with dependent +# customers. +# Patch source: in-house +# +--- old/src/kadmin/dbutil/kdb5_util.c Wed Oct 15 17:55:10 2014 ++++ new/src/kadmin/dbutil/kdb5_util.c Sat Jan 10 22:00:39 2015 +@@ -478,7 +478,14 @@ + 0, &master_keyblock))) { + com_err(progname, retval, _("while reading master key")); + com_err(progname, 0, _("Warning: proceeding without master key")); +- exit_status++; ++ /* ++ * Solaris Kerberos: We don't want to count as an error if for ++ * instance the stash file is not present and we are trying to ++ * automate propagation, which really doesn't need a master key to ++ * do so. ++ */ ++ if (retval != KRB5_KDB_CANTREAD_STORED) ++ exit_status++; + return(0); + } + } diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/022-case-ins-compare.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/022-case-ins-compare.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,39 @@ +# +# This change allows for case insenstive comparisons of principals in the keytab +# file. This is necessary in order to interoperate with old Windows clients +# that use upper case host name components in service principals. +# +# Original BugID is: +# 15592543 SUNBT6885980 Need case-insensitive keytab lookups for MS interop +# +# Note: In the future, the depedent code (SMB), should construct an acceptor +# name that does not contain the host name component in order perform keytab. +# Refer to the 1.10 feature here: +# http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names +# Patch source: in-house +# +--- old/src/lib/krb5/keytab/kt_file.c Wed Oct 15 17:55:10 2014 ++++ new/src/lib/krb5/keytab/kt_file.c Tue Jan 13 23:56:40 2015 +@@ -310,7 +310,21 @@ + /* if the principal isn't the one requested, free new_entry + and continue to the next. */ + +- if (!krb5_principal_compare(context, principal, new_entry.principal)) { ++ /* ++ * Solaris Kerberos: MS Interop requires that case insensitive ++ * comparisons of service and host components are performed for key ++ * table lookup, etc. Only called if the private environment variable ++ * MS_INTEROP is defined. ++ */ ++ if (getenv("MS_INTEROP")) { ++ if (!krb5_principal_compare_flags(context, principal, ++ new_entry.principal, ++ KRB5_PRINCIPAL_COMPARE_CASEFOLD)) { ++ krb5_kt_free_entry(context, &new_entry); ++ continue; ++ } ++ } else if (!krb5_principal_compare(context, principal, ++ new_entry.principal)) { + krb5_kt_free_entry(context, &new_entry); + continue; + } diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/023-mem-rcache.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/023-mem-rcache.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,300 @@ +# +# This patch allows for backwards compatability with the rcache interface. +# Solaris currently supports the deprecated interface for specifying the rcache +# file; KRB5RCNAME. Which is defined as: +# +# KRB5RCNAME=[FILE|MEMORY|NONE]: +# with: FILE:/var/krb5/rcache/_ as the default setting. +# This patch keeps this interface as well as preserve the existing interface +# with MIT through various environment variables: +# KRB5RCACHETYPE=[dfl|none] +# KRB5RCACHENAME= +# KRB5RCACHEDIR= +# where the default configuration, dfl:/var/tmp/_, +# is transformed to dfl:/var/krb5/rcache/_ in Solaris +# where dfl is a file based replay cache +# +# The following CRs are fixed with this patch, in sequence: +# +# 15299709 SUNBT6355096-SOLARIS_11 rcache name value is now expected to be... +# 15184486 SUNBT4950986 caching behavior of the Kerberos 5 replay cache is... +# 15291109 SUNBT6334655-SOLARIS_11 with =MEMORY as said in... +# 15299707 SUNBT6355094-SOLARIS_11 Some parts of the krb mem rcache should... +# 15731568 SUNBT7071883 mech_krb5.so.1`krb5_rc_dfl_close_no_free+0x21... +# +# Note: An MIT ticket will subsequently be filed, but the solution may differ +# from what we currently offer in Solaris, because they may not want a memory +# replay cache, because of the known limitations of this type of cache and may +# integrate features that don't require replay caches in the the future. +# Patch source: in-house +# +diff -pur old/src/lib/krb5/krb/srv_rcache.c new/src/lib/krb5/krb/srv_rcache.c +--- old/src/lib/krb5/krb/srv_rcache.c 2015-04-09 18:09:27.385483632 -0600 ++++ new/src/lib/krb5/krb/srv_rcache.c 2015-04-15 23:30:38.449049210 -0600 +@@ -39,6 +39,7 @@ krb5_get_server_rcache(krb5_context cont + krb5_error_code retval; + unsigned int i; + struct k5buf buf = EMPTY_K5BUF; ++ char *def_env; + #ifdef HAVE_GETEUID + unsigned long uid = geteuid(); + #endif +@@ -49,19 +50,30 @@ krb5_get_server_rcache(krb5_context cont + cachetype = krb5_rc_default_type(context); + + k5_buf_init_dynamic(&buf); +- k5_buf_add(&buf, cachetype); +- k5_buf_add(&buf, ":"); +- for (i = 0; i < piece->length; i++) { +- if (piece->data[i] == '-') +- k5_buf_add(&buf, "--"); +- else if (!isvalidrcname((int) piece->data[i])) +- k5_buf_add_fmt(&buf, "-%03o", piece->data[i]); ++ if ((def_env = krb5_rc_default_name(context)) != 0) { ++ /* ++ * We expect to have the fully qualified rcache name (:), ++ * so we populate the default type here if the type is missing. ++ */ ++ if (strchr(def_env, ':') == NULL) ++ k5_buf_add_fmt(&buf, "%s:%s", cachetype, def_env); + else +- k5_buf_add_len(&buf, &piece->data[i], 1); +- } ++ k5_buf_add(&buf, def_env); ++ } else { ++ k5_buf_add(&buf, cachetype); ++ k5_buf_add(&buf, ":"); ++ for (i = 0; i < piece->length; i++) { ++ if (piece->data[i] == '-') ++ k5_buf_add(&buf, "--"); ++ else if (!isvalidrcname((int) piece->data[i])) ++ k5_buf_add_fmt(&buf, "-%03o", piece->data[i]); ++ else ++ k5_buf_add_len(&buf, &piece->data[i], 1); ++ } + #ifdef HAVE_GETEUID + k5_buf_add_fmt(&buf, "_%lu", uid); + #endif ++ } + + if (k5_buf_status(&buf) != 0) + return ENOMEM; +diff -pur old/src/lib/krb5/rcache/Makefile.in new/src/lib/krb5/rcache/Makefile.in +--- old/src/lib/krb5/rcache/Makefile.in 2015-04-09 18:09:27.382173687 -0600 ++++ new/src/lib/krb5/rcache/Makefile.in 2015-04-09 18:04:39.621940187 -0600 +@@ -13,7 +13,8 @@ STLIBOBJS = \ + rc_none.o \ + rc_conv.o \ + ser_rc.o \ +- rcfns.o ++ rcfns.o \ ++ rc_mem.o + + OBJS= \ + $(OUTPRE)rc_base.$(OBJEXT) \ +@@ -23,7 +24,8 @@ OBJS= \ + $(OUTPRE)rc_none.$(OBJEXT) \ + $(OUTPRE)rc_conv.$(OBJEXT) \ + $(OUTPRE)ser_rc.$(OBJEXT) \ +- $(OUTPRE)rcfns.$(OBJEXT) ++ $(OUTPRE)rcfns.$(OBJEXT) \ ++ $(OUTPRE)rc_mem.$(OBJEXT) + + SRCS= \ + $(srcdir)/rc_base.c \ +@@ -34,7 +36,8 @@ SRCS= \ + $(srcdir)/rc_conv.c \ + $(srcdir)/ser_rc.c \ + $(srcdir)/rcfns.c \ +- $(srcdir)/t_replay.c ++ $(srcdir)/t_replay.c \ ++ $(srcdir)/rc_mem.c + + ##DOS##LIBOBJS = $(OBJS) + +diff -pur old/src/lib/krb5/rcache/rc_base.c new/src/lib/krb5/rcache/rc_base.c +--- old/src/lib/krb5/rcache/rc_base.c 2015-04-09 18:09:27.381750522 -0600 ++++ new/src/lib/krb5/rcache/rc_base.c 2015-04-16 16:29:05.785483477 -0600 +@@ -13,19 +13,35 @@ + #include "rc_base.h" + #include "rc-int.h" + #include "k5-thread.h" ++#include "rc_mem.h" + + struct krb5_rc_typelist { + const krb5_rc_ops *ops; + struct krb5_rc_typelist *next; + }; + static struct krb5_rc_typelist none = { &krb5_rc_none_ops, 0 }; +-static struct krb5_rc_typelist krb5_rc_typelist_dfl = { &krb5_rc_dfl_ops, &none }; ++static struct krb5_rc_typelist mem = { &krb5_rc_mem_ops, &none }; ++static struct krb5_rc_typelist ++ krb5_rc_typelist_dfl = { &krb5_rc_dfl_ops, &mem }; + static struct krb5_rc_typelist *typehead = &krb5_rc_typelist_dfl; + static k5_mutex_t rc_typelist_lock = K5_MUTEX_PARTIAL_INITIALIZER; + ++struct authlist ++{ ++ krb5_donot_replay rep; ++ struct authlist *na; ++ struct authlist *nh; ++}; ++ + int + krb5int_rc_finish_init(void) + { ++ int retval; ++ ++ retval = k5_mutex_finish_init(&grcache.lock); ++ if (retval) ++ return (retval); ++ + return k5_mutex_finish_init(&rc_typelist_lock); + } + +@@ -33,6 +49,28 @@ void + krb5int_rc_terminate(void) + { + struct krb5_rc_typelist *t, *t_next; ++ struct mem_data *tgr = (struct mem_data *)grcache.data; ++ struct authlist *q, *qt; ++ int i; ++ ++ k5_mutex_destroy(&grcache.lock); ++ ++ if (tgr != NULL) { ++ if (tgr->name) ++ free(tgr->name); ++ for (i = 0; i < tgr->hsize; i++) { ++ for (q = tgr->h[i]; q; q = qt) { ++ qt = q->nh; ++ free(q->rep.server); ++ free(q->rep.client); ++ free(q); ++ } ++ if (tgr->h) ++ free(tgr->h); ++ free(tgr); ++ } ++ } ++ + k5_mutex_destroy(&rc_typelist_lock); + for (t = typehead; t != &krb5_rc_typelist_dfl; t = t_next) { + t_next = t->next; +@@ -106,21 +144,38 @@ char * krb5_rc_get_type(krb5_context con + char * + krb5_rc_default_type(krb5_context context) + { +- char *s; ++ char *s, *residual; ++ unsigned int diff; ++ + if ((s = getenv("KRB5RCACHETYPE"))) + return s; +- else +- return "dfl"; ++ else if ((s = getenv("KRB5RCNAME")) && (residual = strchr(s, ':'))) { ++ diff = (residual - s) + 1; ++ if (strncmp(s, "FILE:", diff) == 0) ++ return "dfl"; ++ else if (strncmp(s, "NONE:", diff) == 0) ++ return "none"; ++ else if (strncmp(s, "MEMORY:", diff) == 0) ++ return "MEMORY"; ++ } ++ ++ return "dfl"; + } + + char * + krb5_rc_default_name(krb5_context context) + { +- char *s; ++ char *s, *residual; ++ + if ((s = getenv("KRB5RCACHENAME"))) + return s; +- else +- return (char *) 0; ++ else if ((s = getenv("KRB5RCNAME"))) { ++ if (residual = strchr(s, ':')) ++ return (residual + 1); ++ else ++ return s; ++ } else ++ return (char *) 0; + } + + krb5_error_code +diff -pur old/src/lib/krb5/rcache/rc_dfl.c new/src/lib/krb5/rcache/rc_dfl.c +--- old/src/lib/krb5/rcache/rc_dfl.c 2015-04-09 18:09:27.382459743 -0600 ++++ new/src/lib/krb5/rcache/rc_dfl.c 2015-04-09 21:01:56.063638506 -0600 +@@ -249,6 +249,9 @@ krb5_rc_dfl_close_no_free(krb5_context c + struct dfl_data *t = (struct dfl_data *)id->data; + struct authlist *q; + ++ if (id->data == NULL) ++ return 0; ++ + free(t->h); + if (t->name) + free(t->name); +@@ -265,6 +268,7 @@ krb5_rc_dfl_close_no_free(krb5_context c + (void) krb5_rc_io_close(context, &t->d); + #endif + free(t); ++ id->data = NULL; + return 0; + } + +@@ -329,6 +333,7 @@ cleanup: + if (t->h) + free(t->h); + free(t); ++ id->data = NULL; + } + return retval; + } +diff -pur old/src/lib/krb5/rcache/rc_io.c new/src/lib/krb5/rcache/rc_io.c +--- old/src/lib/krb5/rcache/rc_io.c 2015-04-09 18:09:27.382337387 -0600 ++++ new/src/lib/krb5/rcache/rc_io.c 2015-04-15 02:51:37.858253777 -0600 +@@ -56,7 +56,10 @@ getdir(void) + #else + if (!(dir = getenv("TMPDIR"))) { + #ifdef RCTMPDIR +- dir = RCTMPDIR; ++ if (geteuid() == 0) ++ dir = RCTMPDIR "/root"; ++ else ++ dir = RCTMPDIR; + #else + dir = "/tmp"; + #endif +@@ -164,6 +167,8 @@ krb5_rc_io_creat(krb5_context context, k + + GETDIR; + if (fn && *fn) { ++ if (strncmp(*fn, PATH_SEPARATOR, sizeof(PATH_SEPARATOR) - 1) == 0) ++ dir = ""; + if (asprintf(&d->fn, "%s%s%s", dir, PATH_SEPARATOR, *fn) < 0) + return KRB5_RC_IO_MALLOC; + d->fd = -1; +@@ -227,6 +232,8 @@ krb5_rc_io_open_internal(krb5_context co + char *dir; + + dir = getdir(); ++ if (fn && (strncmp(fn, PATH_SEPARATOR, sizeof(PATH_SEPARATOR) - 1) == 0)) ++ dir = ""; + if (full_pathname) { + if (!(d->fn = strdup(full_pathname))) + return KRB5_RC_IO_MALLOC; +diff -pur old/src/lib/krb5/rcache/rc-int.h new/src/lib/krb5/rcache/rc-int.h +--- old/src/lib/krb5/rcache/rc-int.h 2015-04-09 18:09:27.381858138 -0600 ++++ new/src/lib/krb5/rcache/rc-int.h 2015-04-09 18:04:39.622200717 -0600 +@@ -87,5 +87,6 @@ krb5_error_code krb5_rc_register_type(kr + + extern const krb5_rc_ops krb5_rc_dfl_ops; + extern const krb5_rc_ops krb5_rc_none_ops; ++extern const krb5_rc_ops krb5_rc_mem_ops; + + #endif /* __KRB5_RCACHE_INT_H__ */ diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/024-smb-compat.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/024-smb-compat.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,183 @@ +# +# This patch allows for better interop with MS Windows clients accessing Solaris +# SMB services. It fixes a few memory leaks and double frees found during SMB +# stress testing. The CRs in order: +# +# 15580724 SUNBT6868908 Solaris acceptors should have returned KRB5KRB_AP_... +# 15648322 SUNBT6959251 coredump in gss_release_name+0x36 +# 20416772 spnego_gss_accept_sec_context issue with incorrect KRB OID +# 16005842 Should retry SMB authentication upgrade to account for network... +# 15579598 SUNBT6867208 Windows client cannot recover from KRB5KRB_AP_ERR_SKEW.. +# +# Note: MIT tickets will subsequently be filed, but the solution may differ from +# what we currently offer in Solaris, because they may want the changes as the +# default behavior therefore removing the dependency on the MS_INTEROP +# environment variable. +# Patch source: in-house +# +diff -pur old/src/lib/gssapi/krb5/accept_sec_context.c new/src/lib/gssapi/krb5/accept_sec_context.c +--- old/src/lib/gssapi/krb5/accept_sec_context.c 2015-03-30 23:53:08.814324223 -0600 ++++ new/src/lib/gssapi/krb5/accept_sec_context.c 2015-04-02 00:05:08.243563972 -0600 +@@ -1226,6 +1226,35 @@ fail: + */ + memset(&krb_error_data, 0, sizeof(krb_error_data)); + ++ /* ++ * We need to remap error conditions for buggy Windows clients if the ++ * MS_INTEROP env var has been set. ++ */ ++ if ((code == KRB5KRB_AP_ERR_BAD_INTEGRITY || ++ code == KRB5KRB_AP_ERR_NOKEY || code == KRB5KRB_AP_ERR_BADKEYVER) ++ && getenv("MS_INTEROP")) { ++ code = KRB5KRB_AP_ERR_MODIFIED; ++ major_status = GSS_S_CONTINUE_NEEDED; ++ } ++ ++ /* ++ * Set e-data to Windows constant (verified by MSFT). ++ * ++ * This facilitates the Windows CIFS client clock skew ++ * recovery feature. ++ */ ++ if (code == KRB5KRB_AP_ERR_SKEW && getenv("MS_INTEROP")) { ++ char *ms_e_data = "\x30\x05\xa1\x03\x02\x01\x02"; ++ int len = strlen(ms_e_data); ++ ++ krb_error_data.e_data.data = malloc(len); ++ if (krb_error_data.e_data.data) { ++ (void) memcpy(krb_error_data.e_data.data, ms_e_data, len); ++ krb_error_data.e_data.length = len; ++ } ++ major_status = GSS_S_CONTINUE_NEEDED; ++ } ++ + code -= ERROR_TABLE_BASE_krb5; + if (code < 0 || code > KRB_ERR_MAX) + code = 60 /* KRB_ERR_GENERIC */; +diff -pur old/src/lib/gssapi/spnego/spnego_mech.c new/src/lib/gssapi/spnego/spnego_mech.c +--- old/src/lib/gssapi/spnego/spnego_mech.c 2015-03-30 23:53:08.816648991 -0600 ++++ new/src/lib/gssapi/spnego/spnego_mech.c 2015-04-15 18:52:40.053965732 -0600 +@@ -190,6 +190,13 @@ static const gss_OID_set_desc spnego_oid + }; + const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0; + ++/* encoded OID octet string for NTLMSSP security mechanism */ ++#define GSS_MECH_NTLMSSP_OID_LENGTH 10 ++#define GSS_MECH_NTLMSSP_OID "\053\006\001\004\001\202\067\002\002\012" ++static gss_OID_desc ntlmssp_oid = { ++ GSS_MECH_NTLMSSP_OID_LENGTH, GSS_MECH_NTLMSSP_OID ++}; ++ + static int make_NegHints(OM_uint32 *, spnego_gss_cred_id_t, gss_buffer_t *); + static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int); + static OM_uint32 +@@ -1243,7 +1250,7 @@ make_NegHints(OM_uint32 *minor_status, + &hintNameBuf, + &hintNameType); + if (major_status != GSS_S_COMPLETE) { +- gss_release_name(&minor, &hintName); ++ gss_release_name(&minor, &hintKerberosName); + return (major_status); + } + gss_release_name(&minor, &hintKerberosName); +@@ -1386,6 +1393,7 @@ acc_ctx_new(OM_uint32 *minor_status, + gss_buffer_desc der_mechTypes; + gss_OID mech_wanted; + spnego_gss_ctx_id_t sc = NULL; ++ unsigned int i; + + ret = GSS_S_DEFECTIVE_TOKEN; + der_mechTypes.length = 0; +@@ -1409,6 +1417,24 @@ acc_ctx_new(OM_uint32 *minor_status, + goto cleanup; + } + /* ++ * We add KRB5_WRONG here so that old MS clients can negotiate this ++ * mechanism, which allows extensions in Kerberos (clock skew ++ * adjustment, refresh ccache). ++ */ ++ for (i = 0; i < supported_mechSet->count; i++) { ++ if (is_kerb_mech(&supported_mechSet->elements[i])) { ++ extern gss_OID_desc * const gss_mech_krb5_wrong; ++ ret = gss_add_oid_set_member(minor_status, ++ gss_mech_krb5_wrong, ++ &supported_mechSet); ++ if (ret != GSS_S_COMPLETE) { ++ *return_token = NO_TOKEN_SEND; ++ goto cleanup; ++ } ++ break; ++ } ++ } ++ /* + * Select the best match between the list of mechs + * that the initiator requested and the list that + * the acceptor will support. +@@ -2989,6 +3015,7 @@ get_available_mechs(OM_uint32 *minor_sta + int found = 0; + OM_uint32 major_status = GSS_S_COMPLETE, tmpmin; + gss_OID_set mechs, goodmechs; ++ char *msinterop = getenv("MS_INTEROP"); + + major_status = gss_indicate_mechs(minor_status, &mechs); + +@@ -3003,6 +3030,15 @@ get_available_mechs(OM_uint32 *minor_sta + return (major_status); + } + ++ /* ++ * If the required keytab entries for Kerberized SMB service are ++ * missing due to an SMB authentication upgrade failure, SMB daemon ++ * will set MS_INTEROP environmment variable to 1 to ensure only ++ * NTLMSSP security mech is used for negotiation. ++ */ ++ if ((msinterop != NULL) && (!strcmp(msinterop, "1"))) ++ goto ntlmssp; ++ + for (i = 0; i < mechs->count && major_status == GSS_S_COMPLETE; i++) { + if ((mechs->elements[i].length + != spnego_mechanism.mech_type.length) || +@@ -3018,6 +3054,25 @@ get_available_mechs(OM_uint32 *minor_sta + } + } + ++ntlmssp: ++ /* ++ * Add NTLMSSP OID to the mech OID set only if MS_INTEROP env var has ++ * been set to: ++ * - "1" (NTLMSSP only) or ++ * - "2" (both Krb5 and NTLMSSP) ++ * ++ * This is a requirement until NTLMSSP is implemented as a GSS-API ++ * plugin. ++ */ ++ if ((msinterop != NULL) && ++ (!strcmp(msinterop, "1") || !strcmp(msinterop, "2"))) { ++ major_status = gss_add_oid_set_member(minor_status, ++ &ntlmssp_oid, rmechs); ++ ++ if (major_status == GSS_S_COMPLETE) ++ found++; ++ } ++ + /* + * If the caller wanted a list of creds returned, + * trim the list of mechanisms down to only those +@@ -3593,9 +3648,17 @@ negotiate_mech(gss_OID_set supported, gs + for (i = 0; i < received->count; i++) { + gss_OID mech_oid = &received->elements[i]; + ++ /* ++ * MIT compares against MS' wrong OID, but we actually want to ++ * select it if the client supports, as this will enable ++ * features on MS clients that allow credential refresh on ++ * rekeying and caching system times from servers. ++ */ ++#if 0 + /* Accept wrong mechanism OID from MS clients */ + if (g_OID_equal(mech_oid, &gss_mech_krb5_wrong_oid)) + mech_oid = (gss_OID)&gss_mech_krb5_oid; ++#endif + + for (j = 0; j < supported->count; j++) { + if (g_OID_equal(mech_oid, &supported->elements[j])) { diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/025-ktwarnd.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/025-ktwarnd.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,259 @@ +# +# Since we will not migrate kwarn code to useland, we created a libkwarn in +# ON gate. This patch is to let kinit, kdestroy and GSSAPI utilize libkwarn +# functionality. +# +# This patch will not be pushed upstream, since it's Solaris specific feature. +# Patch source: in-house +# + +diff -Napur ORIGINAL/src/clients/kdestroy/Makefile.in krb5-1.13.1/src/clients/kdestroy/Makefile.in +--- ORIGINAL/src/clients/kdestroy/Makefile.in 2015-02-11 19:16:43.000000000 -0800 ++++ krb5-1.13.1/src/clients/kdestroy/Makefile.in 2015-04-22 09:11:09.523911895 -0700 +@@ -19,7 +19,7 @@ all-unix:: kdestroy + ##WIN32##all-windows:: $(KDESTROY) + + kdestroy: kdestroy.o $(KRB5_BASE_DEPLIBS) +- $(CC_LINK) -o $@ kdestroy.o $(KRB5_BASE_LIBS) ++ $(CC_LINK) -o $@ kdestroy.o $(KRB5_BASE_LIBS) -lkwarn + + ##WIN32##$(KDESTROY): $(OUTPRE)kdestroy.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB) $(EXERES) + ##WIN32## link $(EXE_LINKOPTS) -out:$@ $** +diff -Napur ORIGINAL/src/clients/kdestroy/kdestroy.c krb5-1.13.1/src/clients/kdestroy/kdestroy.c +--- ORIGINAL/src/clients/kdestroy/kdestroy.c 2015-02-11 19:16:43.000000000 -0800 ++++ krb5-1.13.1/src/clients/kdestroy/kdestroy.c 2015-04-22 14:52:01.310510058 -0700 +@@ -24,6 +24,12 @@ + * or implied warranty. + */ + ++/* Solaris Kerberos */ ++#include ++#include ++#include ++#include ++ + #include "k5-platform.h" + #include + #include +@@ -46,6 +52,13 @@ + extern int optind; + extern char *optarg; + ++/* ++ * We add _rpcsys extern declariation because that ON build suppresses warning ++ * of implicit declarition, while MIT kerberos build treats the warning ++ * as an error. ++ */ ++extern int _rpcsys(int, void *); ++ + #ifndef _WIN32 + #define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x)) + #else +@@ -82,6 +95,13 @@ + int quiet = 0; + int all = 0; + ++ /* Solaris Kerberos */ ++ krb5_principal me = NULL; ++ char *client_name = NULL; ++ struct krpc_revauth desarg; ++ static rpc_gss_OID_desc oid = {9, "\052\206\110\206\367\022\001\002\002"}; ++ static rpc_gss_OID krb5_mech_type = &oid; ++ + setlocale(LC_ALL, ""); + progname = GET_PROGNAME(argv[0]); + +@@ -165,6 +185,49 @@ + } + } + ++ /* ++ * Solaris Kerberos ++ * Let us destroy the kernel cache first. ++ */ ++ desarg.version = 1; ++ desarg.uid_1 = geteuid(); ++ desarg.rpcsec_flavor_1 = RPCSEC_GSS; ++ desarg.flavor_data_1 = (void *) krb5_mech_type; ++ code = _rpcsys(KRPC_REVAUTH, (void *)&desarg); ++ if (code != 0) { ++ fprintf(stderr, _("%s: kernel creds cache error %d \n"), ++ progname, code); ++ } ++ ++ if (cache_name) { ++ code = krb5_cc_resolve (kcontext, cache_name, &cache); ++ if (code != 0) { ++ com_err (progname, code, _("while resolving %s"), cache_name); ++ exit(1); ++ } ++ } else { ++ code = krb5_cc_default(kcontext, &cache); ++ if (code) { ++ com_err(progname, code, _("while getting default ccache")); ++ exit(1); ++ } ++ } ++ ++ /* ++ * Solaris Kerberos ++ * Get client name for ktkt_warnd(1M) msg. ++ */ ++ code = krb5_cc_get_principal(kcontext, cache, &me); ++ if (code != 0) ++ fprintf(stderr, ++ _("%s: Could not obtain principal name from cache\n"), ++ progname); ++ else ++ if ((code = krb5_unparse_name(kcontext, me, &client_name))) ++ fprintf(stderr, ++ _("%s: Could not unparse principal name found in cache\n"), ++ progname); ++ + code = krb5_cc_destroy (kcontext, cache); + if (code != 0) { + com_err (progname, code, _("while destroying cache")); +@@ -178,5 +241,17 @@ + errflg = 1; + } + } ++ ++ /* Solaris Kerberos - Delete ktkt_warnd(1M) entry. */ ++ if (!errflg && client_name) ++ kwarn_del_warning(client_name); ++ else ++ fprintf(stderr, _("%s: TGT expire warning NOT deleted\n"), ++ progname); ++ ++ /* Solaris Kerberos */ ++ free(client_name); ++ krb5_free_principal(kcontext, me); ++ + return errflg; + } +diff -Napur ORIGINAL/src/clients/kinit/Makefile.in krb5-1.13.1/src/clients/kinit/Makefile.in +--- ORIGINAL/src/clients/kinit/Makefile.in 2015-02-11 19:16:43.000000000 -0800 ++++ krb5-1.13.1/src/clients/kinit/Makefile.in 2015-04-22 09:11:09.525770418 -0700 +@@ -20,7 +20,7 @@ all-unix:: kinit + ##WIN32##all-windows:: $(KINIT) + + kinit: kinit.o kinit_kdb.o $(KRB5_BASE_DEPLIBS) $(KADMSRV_DEPLIBS) +- $(CC_LINK) -o $@ kinit.o kinit_kdb.o $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) ++ $(CC_LINK) -o $@ kinit.o kinit_kdb.o $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) -lkwarn + + ##WIN32##$(KINIT): $(OUTPRE)kinit.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(KLIB) $(CLIB) $(EXERES) + ##WIN32## link $(EXE_LINKOPTS) -out:$@ $** advapi32.lib +diff -Napur ORIGINAL/src/clients/kinit/kinit.c krb5-1.13.1/src/clients/kinit/kinit.c +--- ORIGINAL/src/clients/kinit/kinit.c 2015-02-11 19:16:43.000000000 -0800 ++++ krb5-1.13.1/src/clients/kinit/kinit.c 2015-04-22 14:17:16.415936121 -0700 +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + + #ifdef GETOPT_LONG + #include +@@ -94,6 +95,9 @@ char * get_name_from_os() + + static char *progname; + ++static void _kwarnd_add_warning(char *, char *, time_t); ++static void _kwarnd_del_warning(char *, char *); ++ + typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type; + + struct k_opts +@@ -883,6 +887,15 @@ k5_kinit(opts, k5) + if (opts->verbose) + fprintf(stderr, _("Stored credentials\n")); + } ++ ++ /* Solaris Kerberos: support our ktkt_warnd */ ++ if (opts->action == RENEW) { ++ _kwarnd_del_warning(progname, opts->principal_name); ++ _kwarnd_add_warning(progname, opts->principal_name, my_creds.times.endtime); ++ } else if ((opts->action == INIT_KT) || (opts->action == INIT_PW)) { ++ _kwarnd_add_warning(progname, opts->principal_name, my_creds.times.endtime); ++ } ++ + notix = 0; + + if (k5->switch_to_cache) { +@@ -951,3 +964,25 @@ main(argc, argv) + exit(1); + return 0; + } ++ ++/* Solaris Kerberos start */ ++ ++static void ++_kwarnd_add_warning(char *progname, char *me, time_t endtime) ++{ ++ if (kwarn_add_warning(me, endtime) != 0) ++ fprintf(stderr, gettext( ++ "%s: no ktkt_warnd warning possible\n"), progname); ++ return; ++} ++ ++static void ++_kwarnd_del_warning(char *progname, char *me) ++{ ++ if (kwarn_del_warning(me) != 0) ++ fprintf(stderr, gettext( ++ "%s: unable to delete ktkt_warnd message for %s\n"), ++ progname, me); ++ return; ++} ++/* Solaris Kerberos end */ +diff -Napur ORIGINAL/src/lib/gssapi/Makefile.in krb5-1.13.1/src/lib/gssapi/Makefile.in +--- ORIGINAL/src/lib/gssapi/Makefile.in 2015-02-11 19:16:43.000000000 -0800 ++++ krb5-1.13.1/src/lib/gssapi/Makefile.in 2015-04-22 09:11:09.527753282 -0700 +@@ -27,7 +27,7 @@ STOBJLISTS=OBJS.ST generic/OBJS.ST mechg + SUBDIROBJLISTS=generic/OBJS.ST mechglue/OBJS.ST krb5/OBJS.ST spnego/OBJS.ST + SHLIB_EXPDEPS=\ + $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) $(COM_ERR_DEPLIB) +-SHLIB_EXPLIBS=-lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(DL_LIB) $(LIBS) ++SHLIB_EXPLIBS=-lkrb5 -lk5crypto -lcom_err -lkwarn $(SUPPORT_LIB) $(DL_LIB) $(LIBS) + RELDIR=gssapi + + all-unix:: all-liblinks @MAINT@ verify-calling-conventions-gssapi +diff -Napur ORIGINAL/src/lib/gssapi/krb5/store_cred.c krb5-1.13.1/src/lib/gssapi/krb5/store_cred.c +--- ORIGINAL/src/lib/gssapi/krb5/store_cred.c 2015-04-22 08:37:33.146728757 -0700 ++++ krb5-1.13.1/src/lib/gssapi/krb5/store_cred.c 2015-04-22 14:19:34.769508399 -0700 +@@ -26,6 +26,9 @@ + + #include "k5-int.h" + #include "gssapiP_krb5.h" ++#include ++#include ++ + + static int + has_unexpired_creds(krb5_gss_cred_id_t kcred, +@@ -71,6 +74,7 @@ copy_initiator_creds(OM_uint32 *minor_st + krb5_context context = NULL; + krb5_ccache ccache = NULL; + const char *ccache_name; ++ char *client_name = NULL; + + *minor_status = 0; + +@@ -162,6 +166,17 @@ copy_initiator_creds(OM_uint32 *minor_st + *minor_status = 0; + major_status = GSS_S_COMPLETE; + ++ /* Alert ktkt_warnd(1M) */ ++ major_status = krb5_unparse_name(context, kcred->name->princ, &client_name); ++ if (GSS_ERROR(major_status)) ++ goto cleanup; ++ (void) kwarn_del_warning(client_name); ++ if (kwarn_add_warning(client_name, kcred->expire) != 0) { ++ syslog(LOG_AUTH|LOG_NOTICE, "store_cred: kwarn_add_warning" ++ " failed: ktkt_warnd(1M) down? "); ++ } ++ free(client_name); ++ + cleanup: + if (kcred != NULL) + k5_mutex_unlock(&kcred->lock); diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/026-inappropriate_assert.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/026-inappropriate_assert.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,22 @@ +# +# This patch removes an inapropriate assert. +# +# This assert is inappropriate, because the length of the exported name +# object may be smaller than input_name_buffer->value. This has caused +# aborts in RPCSEC_GSS. +# +# This patch is to accomodate Solaris RPC implementation and is not suitable +# upstream contribution. +# Patch source: in-house +# +diff -pur old/src/lib/gssapi/krb5/import_name.c new/src/lib/gssapi/krb5/import_name.c +--- old/src/lib/gssapi/krb5/import_name.c 2014-10-15 16:55:10.000000000 -0700 ++++ new/src/lib/gssapi/krb5/import_name.c 2014-12-16 04:49:23.593542458 -0800 +@@ -288,7 +288,6 @@ krb5_gss_import_name(minor_status, input + goto fail_name; + cp += length; + } +- assert(cp == end); + } else { + status = GSS_S_BAD_NAMETYPE; + goto cleanup; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/027-add_admin_sname_princ.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/027-add_admin_sname_princ.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,223 @@ +# +# This patch modifies add_admin_princ() to call krb5_sname_to_princ() instead +# of querying naming and constructing the service principal names directly. +# +# Patch offered upstream: +# https://github.com/krb5/krb5/pull/333 +# Patch source: in-house +# +diff -pur old/src/kadmin/dbutil/kadm5_create.c new/src/kadmin/dbutil/kadm5_create.c +--- old/src/kadmin/dbutil/kadm5_create.c ++++ new/src/kadmin/dbutil/kadm5_create.c +@@ -44,8 +44,14 @@ + #include + #include "kdb5_util.h" + +-static int add_admin_princ(void *handle, krb5_context context, +- char *name, char *realm, int attrs, int lifetime); ++static int add_admin_princ_common(void *handle, krb5_context context, ++ krb5_principal principal, int attrs, ++ int lifetime); ++static int add_admin_princ(void *handle, krb5_context context, char *name, ++ char *realm, int attrs, int lifetime); ++static int add_admin_sname_princ(void *handle, krb5_context context, ++ char *sname, char *realm, int attrs, ++ int lifetime); + static int add_admin_princs(void *handle, krb5_context context, char *realm); + + #define ERR 1 +@@ -145,64 +151,11 @@ int kadm5_create_magic_princs(kadm5_conf + static int add_admin_princs(void *handle, krb5_context context, char *realm) + { + krb5_error_code ret = 0; +- char *service_name = 0, *kiprop_name = 0, *p; +- char localname[MAXHOSTNAMELEN]; +- struct addrinfo *ai, ai_hints; +- int gai_error; +- +- if (gethostname(localname, MAXHOSTNAMELEN)) { +- ret = errno; +- perror("gethostname"); +- goto clean_and_exit; +- } +- memset(&ai_hints, 0, sizeof(ai_hints)); +- ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; +- gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai); +- if (gai_error) { +- ret = EINVAL; +- fprintf(stderr, "getaddrinfo(%s): %s\n", localname, +- gai_strerror(gai_error)); +- goto clean_and_exit; +- } +- if (ai->ai_canonname == NULL) { +- ret = EINVAL; +- fprintf(stderr, _("getaddrinfo(%s): Cannot determine canonical " +- "hostname.\n"), localname); +- freeaddrinfo(ai); +- goto clean_and_exit; +- } +- for (p = ai->ai_canonname; *p; p++) { +-#ifdef isascii +- if (!isascii(*p)) +- continue; +-#else +- if (*p < ' ') +- continue; +- if (*p > '~') +- continue; +-#endif +- if (!isupper(*p)) +- continue; +- *p = tolower(*p); +- } +- if (asprintf(&service_name, "kadmin/%s", ai->ai_canonname) < 0) { +- ret = ENOMEM; +- fprintf(stderr, _("Out of memory\n")); +- freeaddrinfo(ai); +- goto clean_and_exit; +- } +- if (asprintf(&kiprop_name, "kiprop/%s", ai->ai_canonname) < 0) { +- ret = ENOMEM; +- fprintf(stderr, _("Out of memory\n")); +- freeaddrinfo(ai); +- goto clean_and_exit; +- } +- freeaddrinfo(ai); + +- if ((ret = add_admin_princ(handle, context, +- service_name, realm, +- KRB5_KDB_DISALLOW_TGT_BASED, +- ADMIN_LIFETIME))) ++ if ((ret = add_admin_sname_princ(handle, context, ++ KADM5_ADMIN_HOST_SERVICE, realm, ++ KRB5_KDB_DISALLOW_TGT_BASED, ++ ADMIN_LIFETIME))) + goto clean_and_exit; + + if ((ret = add_admin_princ(handle, context, +@@ -218,17 +171,60 @@ static int add_admin_princs(void *handle + CHANGEPW_LIFETIME))) + goto clean_and_exit; + +- ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0); ++ ret = add_admin_sname_princ(handle, context, KADM5_KIPROP_HOST_SERVICE, ++ realm, 0, 0); + + clean_and_exit: +- free(service_name); +- free(kiprop_name); +- + return ret; + } + ++static int add_admin_princ(void *handle, krb5_context context, ++ char *name, char *realm, int attrs, int lifetime) ++{ ++ krb5_error_code ret; ++ char *fullname; ++ krb5_principal principal; ++ ++ if (asprintf(&fullname, "%s@%s", name, realm) < 0) { ++ com_err(progname, ENOMEM, _("while appending realm to principal")); ++ return ERR; ++ } ++ ret = krb5_parse_name(context, fullname, &principal); ++ if (ret) { ++ com_err(progname, ret, _("while parsing admin principal name")); ++ return(ERR); ++ } ++ free (fullname); ++ ++ return add_admin_princ_common(handle, context, principal, attrs, lifetime); ++} ++ ++static int add_admin_sname_princ(void *handle, krb5_context context, ++ char *sname, char *realm, int attrs, ++ int lifetime) ++{ ++ krb5_error_code ret; ++ krb5_principal principal; ++ char *lrealm; ++ ++ ret = krb5_sname_to_principal(context, NULL, sname, KRB5_NT_SRV_HST, ++ &principal); ++ if (ret) { ++ com_err(progname, ret, _("while parsing admin SPN")); ++ return(ERR); ++ } ++ ++ ret = krb5_set_principal_realm(context, principal, realm); ++ if (ret) { ++ com_err(progname, ret, _("while supplying realm to principal")); ++ return ERR; ++ } ++ ++ return add_admin_princ_common(handle, context, principal, attrs, lifetime); ++} ++ + /* +- * Function: add_admin_princ ++ * Function: add_admin_princ_common + * + * Arguments: + * +@@ -255,9 +251,9 @@ clean_and_exit: + * Otherwise, the principal is created with mod_by creator and + * attributes attrs and max life of lifetime (if not zero). + */ +- +-int add_admin_princ(void *handle, krb5_context context, +- char *name, char *realm, int attrs, int lifetime) ++static int add_admin_princ_common(void *handle, krb5_context context, ++ krb5_principal principal, int attrs, ++ int lifetime) + { + char *fullname; + krb5_error_code ret; +@@ -266,15 +262,7 @@ int add_admin_princ(void *handle, krb5_c + + memset(&ent, 0, sizeof(ent)); + +- if (asprintf(&fullname, "%s@%s", name, realm) < 0) { +- com_err(progname, ENOMEM, _("while appending realm to principal")); +- return ERR; +- } +- ret = krb5_parse_name(context, fullname, &ent.principal); +- if (ret) { +- com_err(progname, ret, _("while parsing admin principal name")); +- return(ERR); +- } ++ ent.principal = principal; + ent.max_life = lifetime; + ent.attributes = attrs; + +@@ -283,6 +271,7 @@ int add_admin_princ(void *handle, krb5_c + flags |= KADM5_MAX_LIFE; + ret = kadm5_create_principal(handle, &ent, flags, NULL); + if (ret && ret != KADM5_DUP) { ++ krb5_unparse_name(context, principal, &fullname); + com_err(progname, ret, _("while creating principal %s"), fullname); + krb5_free_principal(context, ent.principal); + free(fullname); +@@ -290,7 +279,6 @@ int add_admin_princ(void *handle, krb5_c + } + + krb5_free_principal(context, ent.principal); +- free(fullname); + + return OK; + } +diff -pur old/src/lib/kadm5/admin.h new/src/lib/kadm5/admin.h +--- old/src/lib/kadm5/admin.h ++++ new/src/lib/kadm5/admin.h +@@ -64,7 +64,9 @@ KADM5INT_BEGIN_DECLS + #define KADM5_ADMIN_SERVICE "kadmin/admin" + #define KADM5_CHANGEPW_SERVICE "kadmin/changepw" + #define KADM5_HIST_PRINCIPAL "kadmin/history" +-#define KADM5_KIPROP_HOST_SERVICE "kiprop" ++ ++#define KADM5_KIPROP_HOST_SERVICE "kiprop" ++#define KADM5_ADMIN_HOST_SERVICE "kadmin" + + typedef krb5_principal kadm5_princ_t; + typedef char *kadm5_policy_t; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/028-rpc-gss.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/028-rpc-gss.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,3491 @@ +# +# Make MIT Kerberos use Solaris RPC and RPCSEC_GSS instead of libgssrpc. +# +# MIT Kerberos bundles the RPC and RPCSEC_GSS implementation with the +# source in separate libgssrpc library. The RPC implementation is based on +# an ancient SUN donated code. It is inferior to the RPC implementation in +# Solaris libc in features and possibly in performance too. Also introducing +# a duplicate implementation would not be wise. +# +# The patch modifies MIT code to use the standard RPC and RPCSEC_GSS in Solaris. +# +# Specifically: +# - it modifies the Makefiles not to build libgssrpc and not to link with it +# - related to above, it strips libgssrpc from krb5-config +# - moves xdr_alloc.c out of libgssrpc and fixes it for 64-bit +# - includes correct headers - rpc/rpc.h instead of gssrpc/rpc.h +# - modifies net-server code to support TI-RPC (transport independent, XTI) +# - implement kadmin protocol and incr. prop. using Solaris RPCSEC_GSS +# - reverts MIT modification to iprop, that were needed for RPC differences +# - server side support for RPCSEC_GSS base changepw protocol +# - recognize sunw_dbprop_* config options for backward compatibility +# - defines several functions to locate servers (admin, cpw, kiprop,...) +# - updates generated dependencies for kadm_host_srv_names.so to build +# - defines xdr_u_int32 and xdr_int32 +# +# This patch is Solaris specific and is not intended for upstream contribution. +# In the future MIT might provide support for system native RPC implementation. +# Patch source: in-house +# +diff -pur old/src/build-tools/krb5-config.in new/src/build-tools/krb5-config.in +--- old/src/build-tools/krb5-config.in ++++ new/src/build-tools/krb5-config.in +@@ -97,9 +97,6 @@ while test $# != 0; do + gssapi) + library=gssapi + ;; +- gssrpc) +- library=gssrpc +- ;; + kadm-client) + library=kadm_client + ;; +@@ -142,7 +139,6 @@ if test -n "$do_help"; then + echo "Libraries:" + echo " krb5 Kerberos 5 application" + echo " gssapi GSSAPI application with Kerberos 5 bindings" +- echo " gssrpc GSSAPI RPC application" + echo " kadm-client Kadmin client" + echo " kadm-server Kadmin server" + echo " kdb Application that accesses the kerberos database" +@@ -232,17 +228,10 @@ if test -n "$do_libs"; then + + if test $library = 'kadm_server'; then + lib_flags="$lib_flags -lkadm5srv_mit -lkdb5 $KDB5_DB_LIB" +- library=gssrpc + fi + + if test $library = 'kadm_client'; then + lib_flags="$lib_flags -lkadm5clnt_mit" +- library=gssrpc +- fi +- +- if test $library = 'gssrpc'; then +- lib_flags="$lib_flags -lgssrpc" +- library=gssapi + fi + + if test $library = 'gssapi'; then +diff -pur old/src/config/pre.in new/src/config/pre.in +--- old/src/config/pre.in ++++ new/src/config/pre.in +@@ -317,7 +317,7 @@ KDB5_PLUGIN_LIBS = @KDB5_PLUGIN_LIBS@ + KADMCLNT_DEPLIB = $(TOPLIBD)/libkadm5clnt_mit$(DEPLIBEXT) + KADMSRV_DEPLIB = $(TOPLIBD)/libkadm5srv_mit$(DEPLIBEXT) + KDB5_DEPLIB = $(TOPLIBD)/libkdb5$(DEPLIBEXT) +-GSSRPC_DEPLIB = $(TOPLIBD)/libgssrpc$(DEPLIBEXT) ++GSSRPC_DEPLIB = # empty + GSS_DEPLIB = $(TOPLIBD)/libgssapi_krb5$(DEPLIBEXT) + KRB5_DEPLIB = $(TOPLIBD)/libkrb5$(DEPLIBEXT) + CRYPTO_DEPLIB = $(TOPLIBD)/libk5crypto$(DEPLIBEXT) +@@ -398,7 +398,7 @@ KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_ + KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) + GSS_LIBS = $(GSS_KRB5_LIB) + # needs fixing if ever used on Mac OS X! +-GSSRPC_LIBS = -lgssrpc $(GSS_LIBS) ++GSSRPC_LIBS = $(GSS_LIBS) + KADM_COMM_LIBS = $(GSSRPC_LIBS) + # need fixing if ever used on Mac OS X! + KADMSRV_LIBS = -lkadm5srv_mit $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS) +diff -pur old/src/include/iprop.h new/src/include/iprop.h +--- old/src/include/iprop.h ++++ new/src/include/iprop.h +@@ -6,8 +6,7 @@ + #ifndef _IPROP_H_RPCGEN + #define _IPROP_H_RPCGEN + +-#include +- ++#include + + #ifdef __cplusplus + extern "C" { +diff -pur old/src/include/k5-int.h new/src/include/k5-int.h +--- old/src/include/k5-int.h ++++ new/src/include/k5-int.h +@@ -217,11 +217,14 @@ typedef unsigned char u_char; + #define KRB5_CONF_HTTP_ANCHORS "http_anchors" + #define KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME "ignore_acceptor_hostname" + #define KRB5_CONF_IPROP_ENABLE "iprop_enable" ++#define KRB5_CONF_SUNW_DBPROP_ENABLE "sunw_dbprop_enable" + #define KRB5_CONF_IPROP_LOGFILE "iprop_logfile" + #define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize" ++#define KRB5_CONF_SUNW_DBPROP_MASTER_ULOGSIZE "sunw_dbprop_master_ulogsize" + #define KRB5_CONF_IPROP_PORT "iprop_port" + #define KRB5_CONF_IPROP_RESYNC_TIMEOUT "iprop_resync_timeout" + #define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll" ++#define KRB5_CONF_SUNW_DBPROP_SLAVE_POLL "sunw_dbprop_slave_poll" + #define KRB5_CONF_K5LOGIN_AUTHORITATIVE "k5login_authoritative" + #define KRB5_CONF_K5LOGIN_DIRECTORY "k5login_directory" + #define KRB5_CONF_KADMIND_PORT "kadmind_port" +diff -pur old/src/kadmin/dbutil/kadm5_create.c new/src/kadmin/dbutil/kadm5_create.c +--- old/src/kadmin/dbutil/kadm5_create.c ++++ new/src/kadmin/dbutil/kadm5_create.c +@@ -158,11 +158,20 @@ static int add_admin_princs(void *handle + ADMIN_LIFETIME))) + goto clean_and_exit; + ++ if ((ret = add_admin_sname_princ(handle, context, ++ KADM5_CHANGEPW_HOST_SERVICE, realm, ++ KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE, ++ ADMIN_LIFETIME))) ++ goto clean_and_exit; ++ ++/* kadmin/admin unusable with Solaris rpcsec_gss */ ++#if 0 + if ((ret = add_admin_princ(handle, context, + KADM5_ADMIN_SERVICE, realm, + KRB5_KDB_DISALLOW_TGT_BASED, + ADMIN_LIFETIME))) + goto clean_and_exit; ++#endif + + if ((ret = add_admin_princ(handle, context, + KADM5_CHANGEPW_SERVICE, realm, +diff -pur old/src/kadmin/server/ipropd_svc.c new/src/kadmin/server/ipropd_svc.c +--- old/src/kadmin/server/ipropd_svc.c ++++ new/src/kadmin/server/ipropd_svc.c +@@ -134,6 +134,8 @@ iprop_get_updates_1_svc(kdb_last_t *arg, + kadm5_server_handle_t handle = global_server_handle; + char *client_name = 0, *service_name = 0; + char obuf[256] = {0}; ++ gss_name_t name = NULL; ++ OM_uint32 min_stat; + + /* default return code */ + ret.ret = UPDATE_ERROR; +@@ -172,8 +174,14 @@ iprop_get_updates_1_svc(kdb_last_t *arg, + DPRINT("%s: clprinc=`%s'\n\tsvcprinc=`%s'\n", whoami, client_name, + service_name); + ++ if (!(name = rqst2name(rqstp))) { ++ krb5_klog_syslog(LOG_ERR, ++ _("%s: Couldn't obtain client's name"), ++ whoami); ++ goto out; ++ } + if (!kadm5int_acl_check(handle->context, +- rqst2name(rqstp), ++ name, + ACL_IPROP, + NULL, + NULL)) { +@@ -221,6 +229,8 @@ out: + debprret(whoami, ret.ret, ret.lastentry.last_sno); + free(client_name); + free(service_name); ++ if (name) ++ gss_release_name(&min_stat, &name); + return (&ret); + } + +@@ -251,6 +261,18 @@ ipropx_resync(uint32_t vers, struct svc_ + int pret, fret; + FILE *p; + kadm5_server_handle_t handle = global_server_handle; ++ /* ++ * The following two definitions are dead code in upstream krb5. ++ * ++ * OM_uint32 min_stat; ++ * gss_name_t name = NULL; ++ * ++ * They come from initial Sun donation of iprop. ++ * For Solaris specific RPC implementation we need them back. ++ * If upstream removes the dead code, hopefuly placing this comment ++ * in this place will result in an easy-to-debug patch error, ++ * rather then failure to compile. ++ */ + OM_uint32 min_stat; + gss_name_t name = NULL; + char *client_name = NULL, *service_name = NULL; +@@ -301,8 +323,14 @@ ipropx_resync(uint32_t vers, struct svc_ + DPRINT("%s: clprinc=`%s'\n\tsvcprinc=`%s'\n", + whoami, client_name, service_name); + ++ if (!(name = rqst2name(rqstp))) { ++ krb5_klog_syslog(LOG_ERR, ++ _("%s: Couldn't obtain client's name"), ++ whoami); ++ goto out; ++ } + if (!kadm5int_acl_check(handle->context, +- rqst2name(rqstp), ++ name, + ACL_IPROP, + NULL, + NULL)) { +@@ -449,6 +477,7 @@ iprop_full_resync_ext_1_svc(uint32_t *ar + return ipropx_resync(*argp, rqstp); + } + ++#if 0 + static int + check_iprop_rpcsec_auth(struct svc_req *rqstp) + { +@@ -521,6 +550,7 @@ fail_name: + gss_release_name(&min_stat, &name); + return success; + } ++#endif + + void + krb5_iprop_prog_1(struct svc_req *rqstp, +@@ -534,6 +564,7 @@ krb5_iprop_prog_1(struct svc_req *rqstp, + char *(*local)(/* union XXX *, struct svc_req * */); + char *whoami = "krb5_iprop_prog_1"; + ++#if 0 + if (!check_iprop_rpcsec_auth(rqstp)) { + krb5_klog_syslog(LOG_ERR, _("authentication attempt failed: %s, RPC " + "authentication flavor %d"), +@@ -542,6 +573,7 @@ krb5_iprop_prog_1(struct svc_req *rqstp, + svcerr_weakauth(transp); + return; + } ++#endif + + switch (rqstp->rq_proc) { + case NULLPROC: +diff -pur old/src/kadmin/server/kadm_rpc_svc.c new/src/kadmin/server/kadm_rpc_svc.c +--- old/src/kadmin/server/kadm_rpc_svc.c ++++ new/src/kadmin/server/kadm_rpc_svc.c +@@ -5,7 +5,7 @@ + */ + + #include +-#include ++#include + #include /* for gss_nt_krb5_name */ + #include + #include +@@ -63,8 +63,7 @@ void kadm_1(rqstp, transp) + bool_t (*xdr_argument)(), (*xdr_result)(); + char *(*local)(); + +- if (rqstp->rq_cred.oa_flavor != AUTH_GSSAPI && +- !check_rpcsec_auth(rqstp)) { ++ if (rqstp->rq_cred.oa_flavor != RPCSEC_GSS) { + krb5_klog_syslog(LOG_ERR, "Authentication attempt failed: %s, " + "RPC authentication flavor %d", + client_addr(rqstp->rq_xprt), +@@ -246,6 +245,8 @@ void kadm_1(rqstp, transp) + return; + } + ++#if 0 ++ + static int + check_rpcsec_auth(struct svc_req *rqstp) + { +@@ -337,3 +338,4 @@ gss_to_krb5_name_1(struct svc_req *rqstp + free(str); + return success; + } ++#endif +diff -pur old/src/kadmin/server/ovsec_kadmd.c new/src/kadmin/server/ovsec_kadmd.c +--- old/src/kadmin/server/ovsec_kadmd.c ++++ new/src/kadmin/server/ovsec_kadmd.c +@@ -45,10 +45,9 @@ + #include + #include + #include +-#include ++#include + #include + #include "gssapiP_krb5.h" /* for kg_get_context */ +-#include + #include + #include + #include +@@ -57,6 +56,8 @@ + #include + #include "kadm5/server_internal.h" /* XXX for kadm5_server_handle_t */ + #include ++#include ++#include + + #include "misc.h" + +@@ -347,19 +348,20 @@ main(int argc, char *argv[]) + OM_uint32 minor_status; + gss_buffer_desc in_buf; + gss_OID nt_krb5_name_oid = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME; +- auth_gssapi_name names[4]; ++ char *names[4]; + kadm5_config_params params; + verto_ctx *vctx; + const char *pid_file = NULL; + char **db_args = NULL, **tmpargs; + int ret, i, db_args_size = 0, strong_random = 1, proponly = 0; ++ char **tmp_srv_names; ++ krb5_principal princ; ++ char *pos; + + setlocale(LC_ALL, ""); + setvbuf(stderr, NULL, _IONBF, 0); + +- names[0].name = names[1].name = names[2].name = names[3].name = NULL; +- names[0].type = names[1].type = names[2].type = names[3].type = +- nt_krb5_name_oid; ++ names[0] = names[1] = names[2] = names[3] = NULL; + + progname = (strrchr(argv[0], '/') != NULL) ? strrchr(argv[0], '/') + 1 : + argv[0]; +@@ -463,28 +465,88 @@ main(int argc, char *argv[]) + if (!(params.mask & KADM5_CONFIG_ACL_FILE)) + fail_to_start(0, _("Missing required ACL file configuration")); + +- ret = setup_loop(proponly, &vctx); ++ ret = kadm5_get_adm_host_srv_names(context, params.realm, &tmp_srv_names); + if (ret) +- fail_to_start(ret, _("initializing network")); ++ fail_to_start(ret, _("building GSSAPI auth names")); ++ names[0] = strdup(tmp_srv_names[0]); ++ if (names[0] == NULL) ++ fail_to_start(ENOMEM, _("copying GSSAPI auth names")); ++ free_srv_names(tmp_srv_names); ++ tmp_srv_names = NULL; + +- names[0].name = build_princ_name(KADM5_ADMIN_SERVICE, params.realm); +- names[1].name = build_princ_name(KADM5_CHANGEPW_SERVICE, params.realm); +- if (names[0].name == NULL || names[1].name == NULL) +- fail_to_start(0, _("Cannot build GSSAPI auth names")); ++ ret = kadm5_get_cpw_host_srv_names(context, params.realm, &tmp_srv_names); ++ if (ret) ++ fail_to_start(ret, _("building GSSAPI auth names")); ++ names[1] = strdup(tmp_srv_names[0]); ++ if (names[1] == NULL) ++ fail_to_start(ENOMEM, _("copying GSSAPI auth names")); ++ free_srv_names(tmp_srv_names); ++ tmp_srv_names = NULL; ++ ++ if (params.iprop_enabled == TRUE) { ++ ret = kadm5_get_kiprop_host_srv_names(context, params.realm, ++ &tmp_srv_names); ++ if (ret) ++ fail_to_start(ret, _("building GSSAPI auth names")); ++ names[2] = strdup(tmp_srv_names[0]); ++ if (names[2] == NULL) ++ fail_to_start(ENOMEM, _("copying GSSAPI auth names")); ++ free_srv_names(tmp_srv_names); ++ tmp_srv_names = NULL; ++ ++ /* ++ * For hierarchical incremental propagation we need kadmind ++ * on slave KDCs to register local hostbased kiprop service principal, ++ * not the one for admin server. For least surprise on upgrade we ++ * register both. ++ */ ++ ret = krb5_sname_to_principal(context, NULL, KADM5_KIPROP_HOST_SERVICE, ++ KRB5_NT_SRV_HST, &princ); ++ if (ret) ++ fail_to_start(ret, _("building GSSAPI auth names")); ++ ret = krb5_unparse_name(context, princ, &names[3]); ++ if (ret) ++ fail_to_start(ret, _("building GSSAPI auth names")); ++ if ((pos = strchr(names[3], '@')) != NULL) ++ *pos = '\0'; ++ if ((pos = strchr(names[3], '/')) != NULL) ++ *pos = '@'; ++ } + + ret = setup_kdb_keytab(); + if (ret) + fail_to_start(0, _("Cannot set up KDB keytab")); +- ++#if 0 + if (svcauth_gssapi_set_names(names, 2) == FALSE) + fail_to_start(0, _("Cannot set GSSAPI authentication names")); ++#endif ++ if (!rpc_gss_set_svc_name(names[0], "kerberos_v5", 0, KADM, KADMVERS)) ++ fail_to_start(0, _("Cannot set GSSAPI authentication names")); ++ if (!rpc_gss_set_svc_name(names[1], "kerberos_v5", 0, KADM, KADMVERS)) ++ fail_to_start(0, _("Cannot set GSSAPI authentication names")); ++ if (params.iprop_enabled == TRUE) { ++ if (!rpc_gss_set_svc_name(names[2], "kerberos_v5", 0, ++ KRB5_IPROP_PROG, KRB5_IPROP_VERS)) ++ fail_to_start(0, _("Cannot set GSSAPI authentication names")); ++ if (strcmp(names[2], names[3])){ ++ if (!rpc_gss_set_svc_name(names[3], "kerberos_v5", 0, ++ KRB5_IPROP_PROG, KRB5_IPROP_VERS)) ++ fail_to_start(0, _("Cannot set GSSAPI authentication names")); ++ ++ } ++ } + + /* if set_names succeeded, this will too */ +- in_buf.value = names[1].name; +- in_buf.length = strlen(names[1].name) + 1; ++ in_buf.value = names[1]; ++ in_buf.length = strlen(names[1]); + (void)gss_import_name(&minor_status, &in_buf, nt_krb5_name_oid, + &gss_changepw_name); + ++ ret = setup_loop(proponly, &vctx); ++ if (ret) ++ fail_to_start(ret, _("initializing network")); ++ ++#if 0 + svcauth_gssapi_set_log_badauth2_func(log_badauth, NULL); + svcauth_gssapi_set_log_badverf_func(log_badverf, NULL); + svcauth_gssapi_set_log_miscerr_func(log_miscerr, NULL); +@@ -495,6 +557,7 @@ main(int argc, char *argv[]) + + if (svcauth_gss_set_svc_name(GSS_C_NO_NAME) != TRUE) + fail_to_start(0, _("Cannot initialize GSSAPI service name")); ++#endif + + ret = kadm5int_acl_init(context, 0, params.acl_file); + if (ret) +@@ -535,14 +598,16 @@ main(int argc, char *argv[]) + krb5_klog_syslog(LOG_INFO, _("finished, exiting")); + + /* Clean up memory, etc */ ++#if 0 + svcauth_gssapi_unset_names(); ++#endif + kadm5_destroy(global_server_handle); + loop_free(vctx); + kadm5int_acl_finish(context, 0); + (void)gss_release_name(&minor_status, &gss_changepw_name); + (void)gss_release_name(&minor_status, &gss_oldchangepw_name); + for (i = 0; i < 4; i++) +- free(names[i].name); ++ free(names[i]); + + krb5_klog_close(context); + krb5_free_context(context); +diff -pur old/src/kadmin/server/server_stubs.c new/src/kadmin/server/server_stubs.c +--- old/src/kadmin/server/server_stubs.c ++++ new/src/kadmin/server/server_stubs.c +@@ -21,10 +21,10 @@ extern gss_name_t + extern gss_name_t gss_oldchangepw_name; + extern void * global_server_handle; + +-#define CHANGEPW_SERVICE(rqstp) \ +- (cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), gss_changepw_name) | \ +- (gss_oldchangepw_name && \ +- cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), \ ++#define CHANGEPW_SERVICE(rqstp) \ ++ (cmp_gss_names_rel_1(acceptor_name(rqstp), gss_changepw_name) | \ ++ (gss_oldchangepw_name && \ ++ cmp_gss_names_rel_1(acceptor_name(rqstp), \ + gss_oldchangepw_name))) + + +@@ -33,7 +33,7 @@ static int gss_to_krb5_name(kadm5_server + + static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str); + +-static gss_name_t acceptor_name(gss_ctx_id_t context); ++static gss_name_t acceptor_name(struct svc_req *rqstp); + + gss_name_t rqst2name(struct svc_req *rqstp); + +@@ -107,6 +107,8 @@ static kadm5_ret_t new_server_handle(krb + *out_handle) + { + kadm5_server_handle_t handle; ++ gss_name_t name = NULL; ++ OM_uint32 min_stat; + + *out_handle = NULL; + +@@ -117,13 +119,18 @@ static kadm5_ret_t new_server_handle(krb + *handle = *(kadm5_server_handle_t)global_server_handle; + handle->api_version = api_version; + +- if (! gss_to_krb5_name(handle, rqst2name(rqstp), +- &handle->current_caller)) { ++ if (!(name = rqst2name(rqstp))) { ++ free(handle); ++ return KADM5_FAILURE; ++ } ++ if (! gss_to_krb5_name(handle, name, &handle->current_caller)) { + free(handle); ++ gss_release_name(&min_stat, &name); + return KADM5_FAILURE; + } + + *out_handle = handle; ++ gss_release_name(&min_stat, &name); + return 0; + } + +@@ -182,38 +189,54 @@ int setup_gss_names(struct svc_req *rqst + gss_buffer_desc *client_name, + gss_buffer_desc *server_name) + { +- OM_uint32 maj_stat, min_stat; +- gss_name_t server_gss_name; ++ OM_uint32 min_stat; ++ gss_name_t name = NULL; ++ rpc_gss_rawcred_t *raw_cred; + +- if (gss_name_to_string(rqst2name(rqstp), client_name) != 0) ++ if (!(name = rqst2name(rqstp))) { + return -1; +- maj_stat = gss_inquire_context(&min_stat, rqstp->rq_svccred, NULL, +- &server_gss_name, NULL, NULL, NULL, +- NULL, NULL); +- if (maj_stat != GSS_S_COMPLETE) { +- gss_release_buffer(&min_stat, client_name); +- gss_release_name(&min_stat, &server_gss_name); ++ } ++ if (gss_name_to_string(name, client_name) != 0) { ++ gss_release_name(&min_stat, &name); + return -1; + } +- if (gss_name_to_string(server_gss_name, server_name) != 0) { ++ gss_release_name(&min_stat, &name); ++ ++ rpc_gss_getcred(rqstp, &raw_cred, NULL, NULL); ++ server_name->value = strdup(raw_cred->svc_principal); ++ if (server_name->value == NULL) { + gss_release_buffer(&min_stat, client_name); +- gss_release_name(&min_stat, &server_gss_name); + return -1; + } +- gss_release_name(&min_stat, &server_gss_name); ++ server_name->length = strlen(raw_cred->svc_principal); ++ + return 0; + } + +-static gss_name_t acceptor_name(gss_ctx_id_t context) ++static gss_name_t acceptor_name(struct svc_req *rqstp) + { + OM_uint32 maj_stat, min_stat; +- gss_name_t name; ++ gss_name_t name = NULL; ++ rpc_gss_rawcred_t *raw_cred; ++ gss_buffer_desc name_buff; ++ ++ rpc_gss_getcred(rqstp, &raw_cred, NULL, NULL); ++ name_buff.value = raw_cred->svc_principal; ++ name_buff.length = strlen(raw_cred->svc_principal); ++ maj_stat = gss_import_name(&min_stat, &name_buff, ++ (gss_OID) gss_nt_krb5_name, &name); ++ if (maj_stat != GSS_S_COMPLETE) { ++ gss_release_buffer(&min_stat, &name_buff); ++ return (NULL); ++ } ++ maj_stat = gss_display_name(&min_stat, name, &name_buff, NULL); ++ if (maj_stat != GSS_S_COMPLETE) { ++ gss_release_buffer(&min_stat, &name_buff); ++ return (NULL); ++ } ++ gss_release_buffer(&min_stat, &name_buff); + +- maj_stat = gss_inquire_context(&min_stat, context, NULL, &name, +- NULL, NULL, NULL, NULL, NULL); +- if (maj_stat != GSS_S_COMPLETE) +- return NULL; +- return name; ++ return name; + } + + static int cmp_gss_krb5_name(kadm5_server_handle_t handle, +@@ -339,8 +362,9 @@ create_principal_2_svc(cprinc_arg *arg, + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -359,8 +383,12 @@ create_principal_2_svc(cprinc_arg *arg, + goto exit_func; + } + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (CHANGEPW_SERVICE(rqstp) +- || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, ++ || !kadm5int_acl_check(handle->context, name, ACL_ADD, + arg->rec.principal, &rp) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { +@@ -387,6 +415,8 @@ create_principal_2_svc(cprinc_arg *arg, + + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -400,8 +430,9 @@ create_principal3_2_svc(cprinc3_arg *arg + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -420,8 +451,12 @@ create_principal3_2_svc(cprinc3_arg *arg + goto exit_func; + } + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (CHANGEPW_SERVICE(rqstp) +- || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, ++ || !kadm5int_acl_check(handle->context, name, ACL_ADD, + arg->rec.principal, &rp) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { +@@ -449,6 +484,8 @@ create_principal3_2_svc(cprinc3_arg *arg + + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -462,8 +499,9 @@ delete_principal_2_svc(dprinc_arg *arg, + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -482,8 +520,12 @@ delete_principal_2_svc(dprinc_arg *arg, + goto exit_func; + } + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (CHANGEPW_SERVICE(rqstp) +- || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, ++ || !kadm5int_acl_check(handle->context, name, ACL_DELETE, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_DELETE; + log_unauth("kadm5_delete_principal", prime_arg, +@@ -506,6 +548,8 @@ delete_principal_2_svc(dprinc_arg *arg, + + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -520,8 +564,9 @@ modify_principal_2_svc(mprinc_arg *arg, + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -538,8 +583,12 @@ modify_principal_2_svc(mprinc_arg *arg, + goto exit_func; + } + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (CHANGEPW_SERVICE(rqstp) +- || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, ++ || !kadm5int_acl_check(handle->context, name, ACL_MODIFY, + arg->rec.principal, &rp) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { +@@ -563,6 +612,8 @@ modify_principal_2_svc(mprinc_arg *arg, + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -580,8 +631,9 @@ rename_principal_2_svc(rprinc_arg *arg, + const char *errmsg = NULL; + size_t tlen1, tlen2, clen, slen; + char *tdots1, *tdots2, *cdots, *sdots; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -607,13 +659,17 @@ rename_principal_2_svc(rprinc_arg *arg, + slen = service_name.length; + trunc_name(&slen, &sdots); + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + ret.code = KADM5_OK; + if (! CHANGEPW_SERVICE(rqstp)) { +- if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), ++ if (!kadm5int_acl_check(handle->context, name, + ACL_DELETE, arg->src, NULL)) + ret.code = KADM5_AUTH_DELETE; + /* any restrictions at all on the ADD kills the RENAME */ +- if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), ++ if (!kadm5int_acl_check(handle->context, name, + ACL_ADD, arg->dest, &rp) || rp) { + if (ret.code == KADM5_AUTH_DELETE) + ret.code = KADM5_AUTH_INSUFFICIENT; +@@ -661,6 +717,8 @@ rename_principal_2_svc(rprinc_arg *arg, + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -674,8 +732,9 @@ get_principal_2_svc(gprinc_arg *arg, str + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_gprinc_ret, &ret); ++ xdr_free(xdr_gprinc_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -696,9 +755,13 @@ get_principal_2_svc(gprinc_arg *arg, str + goto exit_func; + } + +- if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } ++ if (! cmp_gss_krb5_name(handle, name, arg->princ) && + (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, +- rqst2name(rqstp), ++ name, + ACL_INQUIRE, + arg->princ, + NULL))) { +@@ -723,6 +786,8 @@ get_principal_2_svc(gprinc_arg *arg, str + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -736,8 +801,9 @@ get_princs_2_svc(gprincs_arg *arg, struc + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_gprincs_ret, &ret); ++ xdr_free(xdr_gprincs_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -755,8 +821,12 @@ get_princs_2_svc(gprincs_arg *arg, struc + if (prime_arg == NULL) + prime_arg = "*"; + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, +- rqst2name(rqstp), ++ name, + ACL_LIST, + NULL, + NULL)) { +@@ -781,6 +851,8 @@ get_princs_2_svc(gprincs_arg *arg, struc + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -794,8 +866,9 @@ chpass_principal_2_svc(chpass_arg *arg, + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -814,11 +887,15 @@ chpass_principal_2_svc(chpass_arg *arg, + goto exit_func; + } + +- if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } ++ if (cmp_gss_krb5_name(handle, name, arg->princ)) { + ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, + FALSE, 0, NULL, arg->pass); + } else if (!(CHANGEPW_SERVICE(rqstp)) && +- kadm5int_acl_check(handle->context, rqst2name(rqstp), ++ kadm5int_acl_check(handle->context, name, + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_chpass_principal((void *)handle, arg->princ, + arg->pass); +@@ -844,6 +921,8 @@ chpass_principal_2_svc(chpass_arg *arg, + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -857,8 +936,9 @@ chpass_principal3_2_svc(chpass3_arg *arg + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -877,14 +957,18 @@ chpass_principal3_2_svc(chpass3_arg *arg + goto exit_func; + } + +- if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } ++ if (cmp_gss_krb5_name(handle, name, arg->princ)) { + ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + arg->pass); + } else if (!(CHANGEPW_SERVICE(rqstp)) && +- kadm5int_acl_check(handle->context, rqst2name(rqstp), ++ kadm5int_acl_check(handle->context, name, + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ, + arg->keepold, +@@ -913,6 +997,8 @@ chpass_principal3_2_svc(chpass3_arg *arg + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -926,8 +1012,9 @@ setv4key_principal_2_svc(setv4key_arg *a + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -946,8 +1033,12 @@ setv4key_principal_2_svc(setv4key_arg *a + goto exit_func; + } + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (!(CHANGEPW_SERVICE(rqstp)) && +- kadm5int_acl_check(handle->context, rqst2name(rqstp), ++ kadm5int_acl_check(handle->context, name, + ACL_SETKEY, arg->princ, NULL)) { + ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, + arg->keyblock); +@@ -973,6 +1064,8 @@ setv4key_principal_2_svc(setv4key_arg *a + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -986,8 +1079,9 @@ setkey_principal_2_svc(setkey_arg *arg, + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1006,8 +1100,12 @@ setkey_principal_2_svc(setkey_arg *arg, + goto exit_func; + } + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (!(CHANGEPW_SERVICE(rqstp)) && +- kadm5int_acl_check(handle->context, rqst2name(rqstp), ++ kadm5int_acl_check(handle->context, name, + ACL_SETKEY, arg->princ, NULL)) { + ret.code = kadm5_setkey_principal((void *)handle, arg->princ, + arg->keyblocks, arg->n_keys); +@@ -1033,6 +1131,8 @@ setkey_principal_2_svc(setkey_arg *arg, + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1046,8 +1146,9 @@ setkey_principal3_2_svc(setkey3_arg *arg + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1066,8 +1167,12 @@ setkey_principal3_2_svc(setkey3_arg *arg + goto exit_func; + } + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (!(CHANGEPW_SERVICE(rqstp)) && +- kadm5int_acl_check(handle->context, rqst2name(rqstp), ++ kadm5int_acl_check(handle->context, name, + ACL_SETKEY, arg->princ, NULL)) { + ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ, + arg->keepold, +@@ -1096,6 +1201,8 @@ setkey_principal3_2_svc(setkey3_arg *arg + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1111,8 +1218,9 @@ chrand_principal_2_svc(chrand_arg *arg, + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_chrand_ret, &ret); ++ xdr_free(xdr_chrand_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1134,11 +1242,15 @@ chrand_principal_2_svc(chrand_arg *arg, + goto exit_func; + } + +- if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } ++ if (cmp_gss_krb5_name(handle, name, arg->princ)) { + ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, + FALSE, 0, NULL, &k, &nkeys); + } else if (!(CHANGEPW_SERVICE(rqstp)) && +- kadm5int_acl_check(handle->context, rqst2name(rqstp), ++ kadm5int_acl_check(handle->context, name, + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_randkey_principal((void *)handle, arg->princ, + &k, &nkeys); +@@ -1168,6 +1280,8 @@ chrand_principal_2_svc(chrand_arg *arg, + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1183,8 +1297,9 @@ chrand_principal3_2_svc(chrand3_arg *arg + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_chrand_ret, &ret); ++ xdr_free(xdr_chrand_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1205,14 +1320,18 @@ chrand_principal3_2_svc(chrand3_arg *arg + goto exit_func; + } + +- if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } ++ if (cmp_gss_krb5_name(handle, name, arg->princ)) { + ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + &k, &nkeys); + } else if (!(CHANGEPW_SERVICE(rqstp)) && +- kadm5int_acl_check(handle->context, rqst2name(rqstp), ++ kadm5int_acl_check(handle->context, name, + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ, + arg->keepold, +@@ -1245,6 +1364,8 @@ chrand_principal3_2_svc(chrand3_arg *arg + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1258,8 +1379,9 @@ create_policy_2_svc(cpol_arg *arg, struc + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1275,8 +1397,12 @@ create_policy_2_svc(cpol_arg *arg, struc + } + prime_arg = arg->rec.policy; + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, +- rqst2name(rqstp), ++ name, + ACL_ADD, NULL, NULL)) { + ret.code = KADM5_AUTH_ADD; + log_unauth("kadm5_create_policy", prime_arg, +@@ -1299,6 +1425,8 @@ create_policy_2_svc(cpol_arg *arg, struc + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1312,8 +1440,9 @@ delete_policy_2_svc(dpol_arg *arg, struc + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1329,8 +1458,12 @@ delete_policy_2_svc(dpol_arg *arg, struc + } + prime_arg = arg->name; + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, +- rqst2name(rqstp), ++ name, + ACL_DELETE, NULL, NULL)) { + log_unauth("kadm5_delete_policy", prime_arg, + &client_name, &service_name, rqstp); +@@ -1351,6 +1484,8 @@ delete_policy_2_svc(dpol_arg *arg, struc + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1364,8 +1499,9 @@ modify_policy_2_svc(mpol_arg *arg, struc + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1381,8 +1517,12 @@ modify_policy_2_svc(mpol_arg *arg, struc + } + prime_arg = arg->rec.policy; + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, +- rqst2name(rqstp), ++ name, + ACL_MODIFY, NULL, NULL)) { + log_unauth("kadm5_modify_policy", prime_arg, + &client_name, &service_name, rqstp); +@@ -1404,6 +1544,8 @@ modify_policy_2_svc(mpol_arg *arg, struc + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1419,8 +1561,9 @@ get_policy_2_svc(gpol_arg *arg, struct s + kadm5_principal_ent_rec caller_ent; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_gpol_ret, &ret); ++ xdr_free(xdr_gpol_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1438,9 +1581,13 @@ get_policy_2_svc(gpol_arg *arg, struct s + } + prime_arg = arg->name; + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + ret.code = KADM5_AUTH_GET; + if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context, +- rqst2name(rqstp), ++ name, + ACL_INQUIRE, NULL, NULL)) + ret.code = KADM5_OK; + else { +@@ -1479,6 +1626,8 @@ get_policy_2_svc(gpol_arg *arg, struct s + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + + } +@@ -1493,8 +1642,9 @@ get_pols_2_svc(gpols_arg *arg, struct sv + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_gpols_ret, &ret); ++ xdr_free(xdr_gpols_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1512,8 +1662,12 @@ get_pols_2_svc(gpols_arg *arg, struct sv + if (prime_arg == NULL) + prime_arg = "*"; + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, +- rqst2name(rqstp), ++ name, + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; + log_unauth("kadm5_get_policies", prime_arg, +@@ -1535,6 +1689,8 @@ get_pols_2_svc(gpols_arg *arg, struct sv + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1546,7 +1702,7 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 + kadm5_server_handle_t handle; + const char *errmsg = NULL; + +- xdr_free(xdr_getprivs_ret, &ret); ++ xdr_free(xdr_getprivs_ret, (char *) &ret); + + if ((ret.code = new_server_handle(*arg, rqstp, &handle))) + goto exit_func; +@@ -1588,8 +1744,9 @@ purgekeys_2_svc(purgekeys_arg *arg, stru + kadm5_server_handle_t handle; + + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1610,9 +1767,13 @@ purgekeys_2_svc(purgekeys_arg *arg, stru + goto exit_func; + } + +- if (!cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } ++ if (!cmp_gss_krb5_name(handle, name, arg->princ) && + (CHANGEPW_SERVICE(rqstp) +- || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, ++ || !kadm5int_acl_check(handle->context, name, ACL_MODIFY, + arg->princ, NULL))) { + ret.code = KADM5_AUTH_MODIFY; + log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp); +@@ -1633,6 +1794,8 @@ purgekeys_2_svc(purgekeys_arg *arg, stru + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1646,8 +1809,9 @@ get_strings_2_svc(gstrings_arg *arg, str + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_gstrings_ret, &ret); ++ xdr_free(xdr_gstrings_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1666,9 +1830,13 @@ get_strings_2_svc(gstrings_arg *arg, str + goto exit_func; + } + +- if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } ++ if (! cmp_gss_krb5_name(handle, name, arg->princ) && + (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, +- rqst2name(rqstp), ++ name, + ACL_INQUIRE, + arg->princ, + NULL))) { +@@ -1692,6 +1860,8 @@ get_strings_2_svc(gstrings_arg *arg, str + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1705,8 +1875,9 @@ set_string_2_svc(sstring_arg *arg, struc + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; ++ gss_name_t name = NULL; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + goto exit_func; +@@ -1725,8 +1896,12 @@ set_string_2_svc(sstring_arg *arg, struc + goto exit_func; + } + ++ if (!(name = rqst2name(rqstp))) { ++ ret.code = KADM5_FAILURE; ++ goto exit_func; ++ } + if (CHANGEPW_SERVICE(rqstp) +- || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, ++ || !kadm5int_acl_check(handle->context, name, ACL_MODIFY, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_MODIFY; + log_unauth("kadm5_mod_strings", prime_arg, +@@ -1748,6 +1923,8 @@ set_string_2_svc(sstring_arg *arg, struc + gss_release_buffer(&minor_stat, &service_name); + exit_func: + free_server_handle(handle); ++ if (name) ++ gss_release_name(&minor_stat, &name); + return &ret; + } + +@@ -1762,7 +1939,7 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, + size_t clen, slen; + char *cdots, *sdots; + +- xdr_free(xdr_generic_ret, &ret); ++ xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(*arg, rqstp, &handle))) + goto exit_func; +@@ -1807,9 +1984,18 @@ exit_func: + gss_name_t + rqst2name(struct svc_req *rqstp) + { ++ OM_uint32 maj_stat, min_stat; ++ gss_name_t name; ++ rpc_gss_rawcred_t * raw_cred; ++ gss_buffer_desc name_buff; + +- if (rqstp->rq_cred.oa_flavor == RPCSEC_GSS) +- return rqstp->rq_clntname; +- else +- return rqstp->rq_clntcred; ++ rpc_gss_getcred(rqstp, &raw_cred, NULL, NULL); ++ name_buff.value = raw_cred->client_principal->name; ++ name_buff.length = raw_cred->client_principal->len; ++ maj_stat = gss_import_name(&min_stat, &name_buff, ++ (gss_OID) GSS_C_NT_EXPORT_NAME, &name); ++ if (maj_stat != GSS_S_COMPLETE) { ++ return (NULL); ++ } ++ return (name); + } +diff -pur old/src/lib/Makefile.in new/src/lib/Makefile.in +--- old/src/lib/Makefile.in ++++ new/src/lib/Makefile.in +@@ -1,5 +1,5 @@ + mydir=lib +-SUBDIRS=crypto krb5 gssapi rpc kdb kadm5 apputils krad ++SUBDIRS=crypto krb5 gssapi kdb kadm5 apputils krad + WINSUBDIRS=crypto krb5 gssapi + BUILDTOP=$(REL).. + +diff -pur old/src/lib/apputils/net-server.c new/src/lib/apputils/net-server.c +--- old/src/lib/apputils/net-server.c ++++ new/src/lib/apputils/net-server.c +@@ -32,7 +32,7 @@ + #include "port-sockets.h" + #include "socket-utils.h" + +-#include ++#include + + #ifdef HAVE_NETINET_IN_H + #include +@@ -228,6 +228,9 @@ struct connection { + #define FREE_SET_DATA(set) \ + (free(set.data), set.data = 0, set.max = 0, set.n = 0) + ++#define EMPTY(set) \ ++ (set.n == 0) ++ + /* + * N.B.: The Emacs cc-mode indentation code seems to get confused if + * the macro argument here is one word only. So use "unsigned short" +@@ -546,6 +549,127 @@ add_tcp_read_fd(struct socksetup *data, + process_tcp_connection_read, 1); + } + ++static int ++set_tli_opt(int fd, int level, int name, const void *val, unsigned int val_len) ++{ ++ struct t_optmgmt req, rep; ++ struct opthdr *opt; ++ char reqbuf[256]; ++ ++ if (val_len + sizeof (struct opthdr) > sizeof (reqbuf)) ++ return -1; ++ ++ opt = (struct opthdr *) reqbuf; ++ opt->level = level; ++ opt->name = name; ++ opt->len = val_len; ++ ++ memcpy(reqbuf + sizeof (struct opthdr), val, val_len); ++ ++ req.flags = T_NEGOTIATE; ++ req.opt.len = sizeof (struct opthdr) + opt->len; ++ req.opt.buf = (char *) opt; ++ ++ rep.flags = 0; ++ rep.opt.buf = reqbuf; ++ rep.opt.maxlen = sizeof (reqbuf); ++ ++ if (t_optmgmt(fd, &req, &rep) < 0 || rep.flags != T_SUCCESS) { ++ t_error("t_optmgmt"); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++/* Create a tli/xti endpoint and bind it to port. Ensure the file descriptor ++ * will work with select. Set cloexec, reuseaddr, and if applicable v6-only. ++ * Does not call listen(). Returns -1 on failure after logging an error. ++ */ ++static int ++create_server_endpoint(struct socksetup *data, struct netconfig *nconf, ++ u_short port) ++{ ++ int fd, on; ++ struct t_info tinfo; ++ struct t_bind *tbind, *tres; ++ struct sockaddr_in *sin4; ++ struct sockaddr_in6 *sin6; ++ ++ /* open transport endpoint */ ++ fd = t_open(nconf->nc_device, O_RDWR, &tinfo); ++ if (fd == -1) { ++ data ->retval = errno; ++ com_err(data->prog, errno, ++ _("unable to open connection for ADMIN server")); ++ return -1; ++ } ++ set_cloexec_fd(fd); ++ ++ /* ensure fd works with select */ ++#ifndef _WIN32 /* Windows FD_SETSIZE is a count. */ ++ if (fd >= FD_SETSIZE) { ++ t_close(fd); ++ com_err(data->prog, 0, _("endpoint fd number %d too high"), fd); ++ return -1; ++ } ++#endif ++ ++ /* set SO_REUSEADDR */ ++ on = 1; ++ if (set_tli_opt(fd, SOL_SOCKET, SO_REUSEADDR , &on, sizeof (on)) < 0) ++ com_err(data->prog, errno, ++ _("cannot enable SO_REUSEADDR on fd %d"), fd); ++ ++ /* set IPv6-only as appropriate */ ++ if (strcmp(nconf->nc_protofmly, NC_INET6) == 0) { ++#ifdef IPV6_V6ONLY ++ if (set_tli_opt(fd, IPPROTO_IPV6, IPV6_V6ONLY , &on, sizeof (on)) < 0) ++ com_err(data->prog, errno, ++ _("cannot set IPV6_V6ONLY on fd %d"), fd); ++#else ++ krb5_klog_syslog(LOG_INFO, _("no IPV6_V6ONLY socket option support")); ++#endif /* IPV6_V6ONLY */ ++ } ++ ++ /* bind fd to specified port */ ++ if (port != 0) { ++ tbind = (struct t_bind *)t_alloc(fd, T_BIND, T_ADDR); ++ if (tbind == NULL) { ++ com_err(data->prog, errno, ++ _("Cannot allocate t_bind structure.")); ++ t_close(fd); ++ return -1; ++ } ++ ++ tbind->qlen = 8; ++ tbind->addr.len = tbind->addr.maxlen; ++ if (strcmp(nconf->nc_protofmly, NC_INET6) == 0) { ++ sin6 = (struct sockaddr_in6 *)tbind->addr.buf; ++ sin6->sin6_family = AF_INET6; ++ sin6->sin6_addr = in6addr_any; ++ sin6->sin6_port = htons(port); ++ } else if (strcmp(nconf->nc_protofmly, NC_INET) == 0) { ++ sin4 = (struct sockaddr_in *)tbind->addr.buf; ++ sin4->sin_family = AF_INET; ++ sin4->sin_addr.s_addr = INADDR_ANY; ++ sin4->sin_port = htons(port); ++ } ++ ++ if (t_bind(fd, tbind, NULL) < 0) { ++ data->retval = errno; ++ com_err(data->prog, errno, ++ _("Cannot bind transport endpoint on %d"), port); ++ t_free(tbind, T_BIND); ++ t_close(fd); ++ return -1; ++ } ++ t_free(tbind, T_BIND); ++ } ++ ++ return fd; ++} ++ + /* + * Create a socket and bind it to addr. Ensure the socket will work with + * select(). Set the socket cloexec, reuseaddr, and if applicable v6-only. +@@ -604,12 +728,13 @@ create_server_socket(struct socksetup *d + } + + static verto_ev * +-add_rpc_listener_fd(struct socksetup *data, struct rpc_svc_data *svc, int sock) ++add_rpc_listener_fd(struct socksetup *data, struct netconfig *nconf, ++ struct rpc_svc_data *svc, int fd) + { + struct connection *conn; + verto_ev *ev; + +- ev = add_fd(data, sock, CONN_RPC_LISTENER, ++ ev = add_fd(data, fd, CONN_RPC_LISTENER, + VERTO_EV_FLAG_IO_READ | + VERTO_EV_FLAG_PERSIST | + VERTO_EV_FLAG_REINITIABLE, +@@ -618,7 +743,7 @@ add_rpc_listener_fd(struct socksetup *da + return NULL; + + conn = verto_get_private(ev); +- conn->transp = svctcp_create(sock, 0, 0); ++ conn->transp = svc_tli_create(fd, nconf, NULL, 0, 0); + if (conn->transp == NULL) { + krb5_klog_syslog(LOG_ERR, + _("Cannot create RPC service: %s; continuing"), +@@ -627,11 +752,14 @@ add_rpc_listener_fd(struct socksetup *da + return NULL; + } + +- if (!svc_register(conn->transp, svc->prognum, svc->versnum, +- svc->dispatch, 0)) { ++ if (!svc_reg(conn->transp, svc->prognum, svc->versnum, ++ svc->dispatch, nconf)) { + krb5_klog_syslog(LOG_ERR, +- _("Cannot register RPC service: %s; continuing"), +- strerror(errno)); ++ _("Cannot register RPC prog %d vers %d on %s; " ++ "continuing"), ++ (int) svc->prognum, ++ (int) svc->versnum, ++ nconf->nc_netid); + verto_del(ev); + return NULL; + } +@@ -760,53 +888,99 @@ setup_tcp_listener_ports(struct socksetu + return 0; + } + ++static void ++log_rpc_listen(int fd, struct rpc_svc_data *svc, struct netconfig *nconf) { ++ if (svc->port != 0) ++ krb5_klog_syslog(LOG_INFO, ++ _("listening on fd %d: %s port %hd " ++ "(RPC prog %d vers %d)"), ++ fd, nconf->nc_netid, svc->port, ++ (int) svc->prognum, (int) svc->versnum); ++ else ++ krb5_klog_syslog(LOG_INFO, ++ _("listening on fd %d: %s random port " ++ "(RPC prog %d vers %d)"), ++ fd, nconf->nc_netid, ++ (int) svc->prognum, (int) svc->versnum); ++ ++} ++ + static int + setup_rpc_listener_ports(struct socksetup *data) + { + struct sockaddr_in sin4; + struct sockaddr_in6 sin6; +- int i; ++ int i, fd, ret = -1, n_svcs = 0; + struct rpc_svc_data svc; ++ void *handlep; ++ struct netconfig *nconf, *nconf4 = NULL, *nconf6 = NULL; ++ char *protofmly = NULL; ++ ++ /* pick the right network: tcp and tcp6 */ ++ if ((handlep = setnetconfig()) == NULL) { ++ com_err(data->prog, errno, _("cannot get any transport information")); ++ goto cleanup; ++ } ++ ++ while (nconf = getnetconfig(handlep)) { ++ if ((nconf->nc_semantics == NC_TPI_COTS_ORD) && ++ (strcmp(nconf->nc_proto, NC_TCP) == 0)){ ++ if (strcmp(nconf->nc_protofmly, NC_INET) == 0) ++ nconf4 = nconf; ++ if (strcmp(nconf->nc_protofmly, NC_INET6) == 0) ++ nconf6 = nconf; ++ } ++ } + +- memset(&sin4, 0, sizeof(sin4)); +- sin4.sin_family = AF_INET; +- sin4.sin_addr.s_addr = INADDR_ANY; +- +- memset(&sin6, 0, sizeof(sin6)); +- sin6.sin6_family = AF_INET6; +- sin6.sin6_addr = in6addr_any; ++ if (nconf4 == NULL && nconf6 == NULL) { ++ com_err(data->prog, 0, _("no transport with proto=%s"), NC_TCP); ++ goto cleanup; ++ } + + FOREACH_ELT (rpc_svc_data, i, svc) { +- int s4; +- int s6; +- +- sa_setport((struct sockaddr *)&sin4, svc.port); +- s4 = create_server_socket(data, (struct sockaddr *)&sin4, SOCK_STREAM); +- if (s4 < 0) +- return -1; +- +- if (add_rpc_listener_fd(data, &svc, s4) == NULL) +- close(s4); +- else +- krb5_klog_syslog(LOG_INFO, _("listening on fd %d: rpc %s"), +- s4, paddr((struct sockaddr *)&sin4)); ++ fd = create_server_endpoint(data, nconf4, svc.port); ++ if (fd < 0) ++ goto cleanup; ++ ++ if (add_rpc_listener_fd(data, nconf4, &svc, fd) == NULL) ++ close(fd); ++ else { ++ n_svcs++; ++ log_rpc_listen(fd, &svc, nconf4); ++ } + + if (ipv6_enabled()) { +- sa_setport((struct sockaddr *)&sin6, svc.port); +- s6 = create_server_socket(data, (struct sockaddr *)&sin6, +- SOCK_STREAM); +- if (s6 < 0) +- return -1; ++ fd = create_server_endpoint(data, nconf6, svc.port); ++ if (fd < 0) ++ goto cleanup; + +- if (add_rpc_listener_fd(data, &svc, s6) == NULL) +- close(s6); +- else +- krb5_klog_syslog(LOG_INFO, _("listening on fd %d: rpc %s"), +- s6, paddr((struct sockaddr *)&sin6)); ++ if (add_rpc_listener_fd(data, nconf6, &svc, fd) == NULL) ++ close(fd); ++ else { ++ n_svcs++; ++ log_rpc_listen(fd, &svc, nconf6); ++ } + } + } +- +- return 0; ++ if (n_svcs > 0) { ++ krb5_klog_syslog(LOG_INFO, _("%d RPC services registered"), n_svcs); ++ } else if (!EMPTY(rpc_svc_data)){ ++ /* ++ * If rpc_svc_data is not empty and n_svcs is 0, it means that ++ * we have tried to register some RPC services, but failed for all of ++ * them. In that case, refuse to start. ++ * If rpc_svc_data was emtpy, it means we were not registering any RPC ++ * services in the firstplace. krb5kdc is an example of daemon ++ * that does not register any RPC services. ++ */ ++ com_err(data->prog, 0, _("Cannot register any RPC services, exiting.")); ++ exit (1); ++ } ++ ret = 0; ++ ++cleanup: ++ endnetconfig(handlep); ++ return ret; + } + + #if defined(CMSG_SPACE) && defined(HAVE_STRUCT_CMSGHDR) && \ +diff -pur old/src/lib/kadm5/Makefile.in new/src/lib/kadm5/Makefile.in +--- old/src/lib/kadm5/Makefile.in ++++ new/src/lib/kadm5/Makefile.in +@@ -21,6 +21,7 @@ SRCS = kadm_err.c \ + $(srcdir)/chpass_util.c \ + $(srcdir)/alt_prof.c \ + $(srcdir)/str_conv.c \ ++ $(srcdir)/kadm_host_srv_names.c \ + $(srcdir)/logger.c + + OBJS = kadm_err.$(OBJEXT) \ +@@ -30,6 +31,7 @@ OBJS = kadm_err.$(OBJEXT) \ + chpass_util.$(OBJEXT) \ + alt_prof.$(OBJEXT) \ + str_conv.$(OBJEXT) \ ++ kadm_host_srv_names.$(OBJEXT) \ + logger.$(OBJEXT) + + STLIBOBJS = \ +@@ -40,6 +42,7 @@ STLIBOBJS = \ + chpass_util.o \ + alt_prof.o \ + str_conv.o \ ++ kadm_host_srv_names.o \ + logger.o + + HDRDIR=$(BUILDTOP)/include/kadm5 +diff -pur old/src/lib/kadm5/admin.h new/src/lib/kadm5/admin.h +--- old/src/lib/kadm5/admin.h ++++ new/src/lib/kadm5/admin.h +@@ -42,7 +42,7 @@ + #define __KADM5_ADMIN_H__ + + #include +-#include ++#include + #include + #include + #include +@@ -67,6 +67,7 @@ KADM5INT_BEGIN_DECLS + + #define KADM5_KIPROP_HOST_SERVICE "kiprop" + #define KADM5_ADMIN_HOST_SERVICE "kadmin" ++#define KADM5_CHANGEPW_HOST_SERVICE "changepw" + + typedef krb5_principal kadm5_princ_t; + typedef char *kadm5_policy_t; +@@ -453,6 +454,21 @@ kadm5_ret_t kadm5_free_key_data(void + kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, + int count); + ++kadm5_ret_t ++kadm5_get_adm_host_srv_names(krb5_context context, ++ const char *realm, char ***host_service_names); ++ ++kadm5_ret_t ++kadm5_get_cpw_host_srv_names(krb5_context context, ++ const char *realm, char ***host_service_names); ++ ++kadm5_ret_t ++kadm5_get_kiprop_host_srv_names(krb5_context context, ++ const char *realm, char ***host_service_names); ++ ++void ++free_srv_names(char **srv_names); ++ + krb5_error_code kadm5_init_krb5_context (krb5_context *); + + krb5_error_code kadm5_init_iprop(void *server_handle, char **db_args); +diff -pur old/src/lib/kadm5/alt_prof.c new/src/lib/kadm5/alt_prof.c +--- old/src/lib/kadm5/alt_prof.c ++++ new/src/lib/kadm5/alt_prof.c +@@ -746,10 +746,17 @@ krb5_error_code kadm5_get_config_params( + params.mask |= KADM5_CONFIG_IPROP_ENABLED; + params.iprop_enabled = params_in->iprop_enabled; + } else { +- if (aprofile && +- !krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { +- params.iprop_enabled = bvalue; +- params.mask |= KADM5_CONFIG_IPROP_ENABLED; ++ if (aprofile) { ++ if(!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { ++ params.iprop_enabled = bvalue; ++ params.mask |= KADM5_CONFIG_IPROP_ENABLED; ++ } else { ++ hierarchy[2] = KRB5_CONF_SUNW_DBPROP_ENABLE; ++ if(!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)){ ++ params.iprop_enabled = bvalue; ++ params.mask |= KADM5_CONFIG_IPROP_ENABLED; ++ } ++ } + } + } + +@@ -778,18 +785,30 @@ krb5_error_code kadm5_get_config_params( + params.mask |= KADM5_CONFIG_ULOG_SIZE; + params.iprop_ulogsize = params_in->iprop_ulogsize; + } else { +- if (aprofile != NULL && +- !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { +- if (ivalue <= 0) +- params.iprop_ulogsize = DEF_ULOGENTRIES; +- else +- params.iprop_ulogsize = ivalue; +- params.mask |= KADM5_CONFIG_ULOG_SIZE; ++ if (aprofile != NULL) { ++ if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { ++ if (ivalue <= 0) ++ params.iprop_ulogsize = DEF_ULOGENTRIES; ++ else ++ params.iprop_ulogsize = ivalue; ++ params.mask |= KADM5_CONFIG_ULOG_SIZE; ++ } else { ++ hierarchy[2] = KRB5_CONF_SUNW_DBPROP_MASTER_ULOGSIZE; ++ if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { ++ if (ivalue <= 0) ++ params.iprop_ulogsize = DEF_ULOGENTRIES; ++ else ++ params.iprop_ulogsize = ivalue; ++ params.mask |= KADM5_CONFIG_ULOG_SIZE; ++ } ++ } + } + } + + GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, +- KRB5_CONF_IPROP_SLAVE_POLL, 2 * 60); /* 2m */ ++ KRB5_CONF_SUNW_DBPROP_SLAVE_POLL, 2 * 60); /* 2m */ ++ GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, ++ KRB5_CONF_IPROP_SLAVE_POLL, params.iprop_poll_time); + + *params_out = params; + +diff -pur old/src/lib/kadm5/clnt/Makefile.in new/src/lib/kadm5/clnt/Makefile.in +--- old/src/lib/kadm5/clnt/Makefile.in ++++ new/src/lib/kadm5/clnt/Makefile.in +@@ -7,12 +7,11 @@ LIBMAJOR=9 + LIBMINOR=0 + STOBJLISTS=../OBJS.ST OBJS.ST + SHLIB_EXPDEPS=\ +- $(TOPLIBD)/libgssrpc$(SHLIBEXT) \ + $(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \ + $(TOPLIBD)/libkrb5$(SHLIBEXT) \ + $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ + $(COM_ERR_DEPLIB) $(SUPPORT_LIBDEP) +-SHLIB_EXPLIBS=-lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err $(LIBS) ++SHLIB_EXPLIBS= -lgssapi_krb5 -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err $(LIBS) + RELDIR=kadm5/clnt + + ##DOSBUILDTOP = ..\..\.. +diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c +--- old/src/lib/kadm5/clnt/client_init.c ++++ new/src/lib/kadm5/clnt/client_init.c +@@ -44,12 +44,12 @@ + #include + #include "iprop.h" + +-#include ++#include + #include + #include +-#include + + #define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" ++#define KADMIND_CONNECT_TIMEOUT 25 + + enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS }; + +@@ -138,9 +138,379 @@ kadm5_init_with_skey(krb5_context contex + server_handle); + } + ++/* ++ * Open an fd for the given address and connect asynchronously. Wait ++ * KADMIND_CONNECT_TIMEOUT seconds or till it succeeds. If it succeeds ++ * change fd to blocking and return it, else return -1. ++ */ ++static int ++get_connection(struct netconfig *nconf, struct netbuf netaddr) ++{ ++ struct t_info tinfo; ++ struct t_call sndcall; ++ struct t_call *rcvcall = NULL; ++ int connect_time; ++ int flags; ++ int fd; ++ ++ (void) memset(&tinfo, 0, sizeof (tinfo)); ++ ++ /* we'l open with O_NONBLOCK and avoid an fcntl */ ++ fd = t_open(nconf->nc_device, O_RDWR | O_NONBLOCK, &tinfo); ++ if (fd == -1) { ++ return (-1); ++ } ++ ++ if (t_bind(fd, (struct t_bind *)NULL, (struct t_bind *)NULL) == -1) { ++ (void) t_close(fd); ++ return (-1); ++ } ++ ++ /* we can't connect unless fd is in IDLE state */ ++ if (t_getstate(fd) != T_IDLE) { ++ (void) t_close(fd); ++ return (-1); ++ } ++ ++ /* setup connect parameters */ ++ netaddr.len = netaddr.maxlen = __rpc_get_a_size(tinfo.addr); ++ sndcall.addr = netaddr; ++ sndcall.opt.len = sndcall.udata.len = 0; ++ ++ /* we wait for KADMIND_CONNECT_TIMEOUT seconds from now */ ++ connect_time = time(NULL) + KADMIND_CONNECT_TIMEOUT; ++ if (t_connect(fd, &sndcall, rcvcall) != 0) { ++ if (t_errno != TNODATA) { ++ (void) t_close(fd); ++ return (-1); ++ } ++ } ++ ++ /* loop till success or timeout */ ++ for (;;) { ++ if (t_rcvconnect(fd, rcvcall) == 0) ++ break; ++ ++ if (t_errno != TNODATA || time(NULL) > connect_time) { ++ /* we have either timed out or caught an error */ ++ (void) t_close(fd); ++ if (rcvcall != NULL) ++ t_free((char *)rcvcall, T_CALL); ++ return (-1); ++ } ++ sleep(1); ++ } ++ ++ /* make the fd blocking (synchronous) */ ++ flags = fcntl(fd, F_GETFL, 0); ++ (void) fcntl(fd, F_SETFL, flags & ~O_NONBLOCK); ++ if (rcvcall != NULL) ++ t_free((char *)rcvcall, T_CALL); ++ return (fd); ++} ++ ++/* ++ * Wrapper over clnt_tli_create. ++ * Opens a connection to host:port and calls clnt_tli_create. ++ * Returns a client handle or NULL on failure. ++ */ ++static CLIENT* ++clnt_create_with_port(const char *host, int port, ++ const rpcprog_t prog, const rpcvers_t vers) ++{ ++ struct netbuf netaddr; ++ struct hostent *hp; ++ int fd; ++ struct sockaddr_in addr; ++ struct sockaddr_in *sin; ++ struct netconfig *nconf; ++ void *handlep = NULL; ++ CLIENT *clnt = NULL; ++ ++ hp = gethostbyname(host); ++ if (hp == (struct hostent *)NULL) { ++ goto cleanup; ++ } ++ ++ memset(&addr, 0, sizeof (addr)); ++ addr.sin_family = hp->h_addrtype; ++ (void) memcpy((char *)&addr.sin_addr, (char *)hp->h_addr, ++ sizeof (addr.sin_addr)); ++ addr.sin_port = htons((ushort_t)port); ++ sin = &addr; ++ if ((handlep = setnetconfig()) == (void *) NULL) { ++ goto cleanup; ++ } ++ ++ while (nconf = getnetconfig(handlep)) { ++ if ((nconf->nc_semantics == NC_TPI_COTS_ORD) && ++ (strcmp(nconf->nc_protofmly, NC_INET) == 0) && ++ (strcmp(nconf->nc_proto, NC_TCP) == 0)) ++ break; ++ } ++ ++ if (nconf == (struct netconfig *)NULL) ++ goto cleanup; ++ ++ /* Transform addr to netbuf */ ++ (void) memset(&netaddr, 0, sizeof (netaddr)); ++ netaddr.buf = (char *)sin; ++ ++ /* get an fd connected to the given address */ ++ fd = get_connection(nconf, netaddr); ++ if (fd == -1) { ++ goto cleanup; ++ } ++ ++ clnt = clnt_tli_create(fd, nconf, NULL, prog, vers, 0, 0); ++ if (clnt == NULL) { ++ clnt_pcreateerror("ERROR:"); ++ (void) t_close(fd); ++ goto cleanup; ++ } ++ /* ++ * The rpc-handle was created on an fd opened and connected ++ * by us, so we have to explicitly tell rpc to close it. ++ */ ++ if (clnt_control(clnt, CLSET_FD_CLOSE, NULL) != TRUE) { ++ clnt_destroy(clnt); ++ clnt = NULL; ++ (void) t_close(fd); ++ } ++ ++cleanup: ++ if (handlep != (void *) NULL) ++ (void) endnetconfig(handlep); ++ ++ return (clnt); ++} ++ ++/* ++ * Open an RPCSEC_GSS connection and ++ * get a client handle to use for future RPCSEC calls. ++ * ++ * This function is only used when changing passwords and ++ * the kpasswd_protocol is RPCSEC_GSS ++ */ ++static int ++_kadm5_initialize_rpcsec_gss_handle(kadm5_server_handle_t handle, ++ char *client_name, ++ char *service_name) ++{ ++ int code = 0; ++ generic_ret *r; ++ char *ccname_orig = NULL; ++ char *iprop_svc; ++ boolean_t iprop_enable = B_FALSE; ++ char mech[] = "kerberos_v5"; ++ gss_OID mech_oid; ++ gss_OID_set_desc oid_set; ++ gss_name_t gss_client; ++ gss_buffer_desc input_name; ++ gss_cred_id_t gss_client_creds = GSS_C_NO_CREDENTIAL; ++ rpc_gss_options_req_t options_req; ++ rpc_gss_options_ret_t options_ret; ++ rpc_gss_service_t service = rpc_gss_svc_privacy; ++ OM_uint32 gssstat, minor_stat; ++ enum clnt_stat rpc_err_code; ++ char *server; ++ int port; ++ ++ /* service name is service/host */ ++ server = strpbrk(service_name, "/"); ++ if (!server) { ++ code = KADM5_BAD_SERVER_NAME; ++ goto cleanup; ++ } ++ ++ /* but rpc_gss_secreate expects service@host */ ++ *server++ = '@'; ++ ++ iprop_svc = strdup(KIPROP_SVC_NAME); ++ if (iprop_svc == NULL) ++ return (ENOMEM); ++ ++ /* ++ * If the service_name and client_name are iprop-centric ++ * use iprop service; otherwise use kadmin service. ++ */ ++ if ((strstr(service_name, iprop_svc) != NULL) && ++ (strstr(client_name, iprop_svc) != NULL)) { ++ iprop_enable = B_TRUE; ++ } ++ ++ /* ++ * iprop fallback logic: ++ * - if iprop_port is configured, connect to iprop_port ++ * - if not, query remote rpc/bind ++ * - if that fails, try consuming iprop service on kadmin port ++ */ ++ if (iprop_enable && handle->params.iprop_port != 0){ ++ port = handle->params.iprop_port; ++ handle->clnt = clnt_create_with_port(server, port, ++ KRB5_IPROP_PROG, ++ KRB5_IPROP_VERS); ++ } else if (iprop_enable && handle->params.iprop_port == 0) { ++ /* using remote rpc/bind first */ ++ handle->clnt = clnt_create(server, KRB5_IPROP_PROG, ++ KRB5_IPROP_VERS, NC_TCP); ++ if (handle->clnt == NULL) { ++ /* possible rpc/bind failure, try kadmin port */ ++ port = handle->params.kadmind_port; ++ handle->clnt = clnt_create_with_port(server, port, ++ KRB5_IPROP_PROG, ++ KRB5_IPROP_VERS); ++ } ++ } else { ++ /* kadmin service */ ++ port = handle->params.kadmind_port; ++ handle->clnt = clnt_create_with_port(server, port, ++ KADM, KADMVERS); ++ } ++ ++ if (handle->clnt == NULL) { ++ code = KADM5_RPC_ERROR; ++ goto error; ++ } ++ ++ if (iprop_svc) ++ free(iprop_svc); ++ ++ handle->lhandle->clnt = handle->clnt; ++ ++ /* now that handle->clnt is set, we can check the handle */ ++ if (code = _kadm5_check_handle((void *) handle)) ++ goto error; ++ ++ /* ++ * The RPC connection is open; establish the GSS-API ++ * authentication context. ++ */ ++ /* use the kadm5 cache */ ++ gssstat = gss_krb5_ccache_name(&minor_stat, handle->cache_name, ++ &ccname_orig); ++ if (gssstat != GSS_S_COMPLETE) { ++ code = KADM5_GSS_ERROR; ++ goto error; ++ } ++ if (ccname_orig) ++ ccname_orig = strdup(ccname_orig); ++ ++ input_name.value = client_name; ++ input_name.length = strlen((char *)input_name.value) + 1; ++ gssstat = gss_import_name(&minor_stat, &input_name, ++ (gss_OID)gss_nt_krb5_name, &gss_client); ++ if (gssstat != GSS_S_COMPLETE) { ++ code = KADM5_GSS_ERROR; ++ goto error; ++ } ++ ++ if (!rpc_gss_mech_to_oid(mech, (rpc_gss_OID *)&mech_oid)) { ++ goto error; ++ } ++ ++ oid_set.count = 1; ++ oid_set.elements = mech_oid; ++ ++ gssstat = gss_acquire_cred(&minor_stat, gss_client, 0, ++ &oid_set, GSS_C_INITIATE, ++ &gss_client_creds, NULL, NULL); ++ (void) gss_release_name(&minor_stat, &gss_client); ++ if (gssstat != GSS_S_COMPLETE) { ++ code = KADM5_GSS_ERROR; ++ goto error; ++ } ++ options_req.my_cred = gss_client_creds; ++ options_req.req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; ++ options_req.time_req = 0; ++ options_req.input_channel_bindings = NULL; ++#ifndef INIT_TEST ++ handle->clnt->cl_auth = rpc_gss_seccreate(handle->clnt, ++ service_name, ++ mech, ++ service, ++ NULL, ++ &options_req, ++ &options_ret); ++#endif /* ! INIT_TEST */ ++ ++ if (ccname_orig) { ++ gssstat = gss_krb5_ccache_name(&minor_stat, ccname_orig, NULL); ++ free(ccname_orig); ++ if (gssstat != GSS_S_COMPLETE) { ++ code = KADM5_GSS_ERROR; ++ goto error; ++ } ++ } else { ++ gssstat = gss_krb5_ccache_name(&minor_stat, NULL, NULL); ++ if (gssstat != GSS_S_COMPLETE) { ++ code = KADM5_GSS_ERROR; ++ goto error; ++ } ++ } ++ ++ if (handle->clnt->cl_auth == NULL) { ++ code = KADM5_GSS_ERROR; ++ goto error; ++ } ++ ++ /* ++ * Bypass the remainder of the code and return straightaway ++ * if the gss service requested is kiprop ++ */ ++ if (iprop_enable == B_TRUE) { ++ code = 0; ++ goto cleanup; ++ } ++ ++ r = init_2(&handle->api_version, handle->clnt); ++ if (r == NULL) { ++ code = KADM5_RPC_ERROR; ++ goto error; ++ } ++ ++ /* Drop down to v3 wire protocol if server does not support v4 */ ++ if (r->code == KADM5_NEW_SERVER_API_VERSION && ++ handle->api_version == KADM5_API_VERSION_4) { ++ handle->api_version = KADM5_API_VERSION_3; ++ r = init_2(&handle->api_version, handle->clnt); ++ if (r == NULL) { ++ code = KADM5_RPC_ERROR; ++ goto error; ++ } ++ } ++ ++ /* Drop down to v2 wire protocol if server does not support v3 */ ++ if (r->code == KADM5_NEW_SERVER_API_VERSION && ++ handle->api_version == KADM5_API_VERSION_3) { ++ handle->api_version = KADM5_API_VERSION_2; ++ r = init_2(&handle->api_version, handle->clnt); ++ if (r == NULL) { ++ code = KADM5_RPC_ERROR; ++ goto error; ++ } ++ } ++ ++ if (r->code) { ++ code = r->code; ++ goto error; ++ } ++error: ++cleanup: ++ /* ++ * gss_client_creds is freed only when there is an error condition, ++ * given that rpc_gss_seccreate() will assign the cred pointer to the ++ * my_cred member in the auth handle's private data structure. ++ */ ++ if (code && (gss_client_creds != GSS_C_NO_CREDENTIAL)) ++ (void) gss_release_cred(&minor_stat, &gss_client_creds); ++ ++ return (code); ++} ++ + static kadm5_ret_t + init_any(krb5_context context, char *client_name, enum init_type init_type, +- char *pass, krb5_ccache ccache_in, char *service_name, ++ char *pass, krb5_ccache ccache_in, char *svcname_in, + kadm5_config_params *params_in, krb5_ui_4 struct_version, + krb5_ui_4 api_version, char **db_args, void **server_handle) + { +@@ -158,6 +528,7 @@ init_any(krb5_context context, char *cli + + int code = 0; + generic_ret *r; ++ char svcname[BUFSIZ]; + + initialize_ovk_error_table(); + /* initialize_adb_error_table(); */ +@@ -225,99 +596,27 @@ init_any(krb5_context context, char *cli + if (code) + goto error; + +- /* +- * Get credentials. Also does some fallbacks in case kadmin/fqdn +- * principal doesn't exist. +- */ +- code = get_init_creds(handle, client, init_type, pass, ccache_in, +- service_name, handle->params.realm, &server); +- if (code) +- goto error; +- +- /* If the service_name and client_name are iprop-centric, use the iprop +- * port and RPC identifiers. */ +- iprop_enable = (service_name != NULL && +- strstr(service_name, KIPROP_SVC_NAME) != NULL && +- strstr(client_name, KIPROP_SVC_NAME) != NULL); +- if (iprop_enable) { +- port = handle->params.iprop_port; +- rpc_prog = KRB5_IPROP_PROG; +- rpc_vers = KRB5_IPROP_VERS; ++ /* NULL svcname means use host-based. */ ++ if (svcname_in == NULL) { ++ code = kadm5_get_admin_service_name(handle->context, ++ handle->params.realm, ++ svcname, sizeof(svcname)); ++ if (code) ++ goto error; + } else { +- port = handle->params.kadmind_port; +- rpc_prog = KADM; +- rpc_vers = KADMVERS; +- } +- +- code = connect_to_server(handle->params.admin_server, port, &fd); +- if (code) +- goto error; +- +- handle->clnt = clnttcp_create(NULL, rpc_prog, rpc_vers, &fd, 0, 0); +- if (handle->clnt == NULL) { +- code = KADM5_RPC_ERROR; +-#ifdef DEBUG +- clnt_pcreateerror("clnttcp_create"); +-#endif +- goto error; ++ strncpy(svcname, svcname_in, sizeof(svcname)); ++ svcname[sizeof(svcname)-1] = '\0'; + } +- handle->client_socket = fd; +- handle->lhandle->clnt = handle->clnt; +- handle->lhandle->client_socket = fd; +- +- /* now that handle->clnt is set, we can check the handle */ +- if ((code = _kadm5_check_handle((void *) handle))) +- goto error; + +- /* +- * The RPC connection is open; establish the GSS-API +- * authentication context. +- */ +- code = setup_gss(handle, params_in, +- (init_type == INIT_CREDS) ? client : NULL, server); ++ /* Get credentials. */ ++ code = get_init_creds(handle, client, init_type, pass, ccache_in, ++ svcname, handle->params.realm, &server); + if (code) + goto error; + +- /* +- * Bypass the remainder of the code and return straightaway +- * if the gss service requested is kiprop +- */ +- if (iprop_enable) { +- code = 0; +- *server_handle = (void *) handle; +- goto cleanup; +- } +- +- r = init_2(&handle->api_version, handle->clnt); +- if (r == NULL) { +- code = KADM5_RPC_ERROR; +-#ifdef DEBUG +- clnt_perror(handle->clnt, "init_2 null resp"); +-#endif +- goto error; +- } +- /* Drop down to v3 wire protocol if server does not support v4 */ +- if (r->code == KADM5_NEW_SERVER_API_VERSION && +- handle->api_version == KADM5_API_VERSION_4) { +- handle->api_version = KADM5_API_VERSION_3; +- r = init_2(&handle->api_version, handle->clnt); +- if (r == NULL) { +- code = KADM5_RPC_ERROR; +- goto error; +- } +- } +- /* Drop down to v2 wire protocol if server does not support v3 */ +- if (r->code == KADM5_NEW_SERVER_API_VERSION && +- handle->api_version == KADM5_API_VERSION_3) { +- handle->api_version = KADM5_API_VERSION_2; +- r = init_2(&handle->api_version, handle->clnt); +- if (r == NULL) { +- code = KADM5_RPC_ERROR; +- goto error; +- } +- } +- if (r->code) { +- code = r->code; ++ code = _kadm5_initialize_rpcsec_gss_handle(handle, client_name, ++ svcname); ++ if (code != 0) { + goto error; + } + +@@ -357,31 +656,17 @@ cleanup: + return code; + } + +-/* Get initial credentials for authenticating to server. Perform fallback from +- * kadmin/fqdn to kadmin/admin if svcname_in is NULL. */ ++/* Get initial credentials for authenticating to server. */ + static kadm5_ret_t + get_init_creds(kadm5_server_handle_t handle, krb5_principal client, + enum init_type init_type, char *pass, krb5_ccache ccache_in, +- char *svcname_in, char *realm, krb5_principal *server_out) ++ char *svcname, char *realm, krb5_principal *server_out) + { + kadm5_ret_t code; + krb5_ccache ccache = NULL; +- char svcname[BUFSIZ]; + + *server_out = NULL; + +- /* NULL svcname means use host-based. */ +- if (svcname_in == NULL) { +- code = kadm5_get_admin_service_name(handle->context, +- handle->params.realm, +- svcname, sizeof(svcname)); +- if (code) +- goto error; +- } else { +- strncpy(svcname, svcname_in, sizeof(svcname)); +- svcname[sizeof(svcname)-1] = '\0'; +- } +- + /* + * Acquire a service ticket for svcname@realm for client, using password + * pass (which could be NULL), and create a ccache to store them in. If +@@ -419,12 +704,6 @@ get_init_creds(kadm5_server_handle_t han + + code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm, + server_out); +- if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN +- || code == KRB5_CC_NOTFOUND) && svcname_in == NULL) { +- /* Retry with old host-independent service principal. */ +- code = gic_iter(handle, init_type, ccache, client, pass, +- KADM5_ADMIN_SERVICE, realm, server_out); +- } + /* Improved error messages */ + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; + if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) +@@ -691,6 +970,26 @@ rpc_auth(kadm5_server_handle_t handle, k + gss_cred_id_t gss_client_creds, gss_name_t gss_target) + { + OM_uint32 gssstat, minor_stat; ++ gss_buffer_desc buf; ++ rpc_gss_options_req_t options_req; ++ rpc_gss_options_ret_t options_ret; ++ ++ if (gss_display_name(&minor_stat, gss_target, &buf, NULL) != GSS_S_COMPLETE) ++ return; ++ ++ options_req.my_cred = gss_client_creds; ++ options_req.req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; ++ options_req.time_req = 0; ++ options_req.input_channel_bindings = NULL; ++ handle->clnt->cl_auth = rpc_gss_seccreate(handle->clnt, ++ (char*) buf.value, ++ "kerberos_v5", ++ rpc_gss_svc_privacy, ++ NULL, ++ &options_req, ++ &options_ret); ++ ++#if 0 + struct rpc_gss_sec sec; + + /* Allow unauthenticated option for testing. */ +@@ -725,6 +1024,7 @@ rpc_auth(kadm5_server_handle_t handle, k + GSS_C_MUTUAL_FLAG + | GSS_C_REPLAY_FLAG, + 0, NULL, NULL, NULL); ++#endif + } + + kadm5_ret_t +diff -pur old/src/lib/kadm5/clnt/client_principal.c new/src/lib/kadm5/clnt/client_principal.c +--- old/src/lib/kadm5/clnt/client_principal.c ++++ new/src/lib/kadm5/clnt/client_principal.c +@@ -5,7 +5,7 @@ + * $Header$ + */ + +-#include ++#include + #include + #include + #ifdef HAVE_MEMORY_H +diff -pur old/src/lib/kadm5/clnt/client_rpc.c new/src/lib/kadm5/clnt/client_rpc.c +--- old/src/lib/kadm5/clnt/client_rpc.c ++++ new/src/lib/kadm5/clnt/client_rpc.c +@@ -1,5 +1,5 @@ + /* -*- mode: c; c-file-style: "bsd"; indent-tabs-mode: t -*- */ +-#include ++#include + #include + #include + #include +diff -pur old/src/lib/kadm5/clnt/clnt_policy.c new/src/lib/kadm5/clnt/clnt_policy.c +--- old/src/lib/kadm5/clnt/clnt_policy.c ++++ new/src/lib/kadm5/clnt/clnt_policy.c +@@ -5,7 +5,7 @@ + * $Header$ + */ + +-#include ++#include + #include + #include + #include "client_internal.h" +diff -pur old/src/lib/kadm5/clnt/clnt_privs.c new/src/lib/kadm5/clnt/clnt_privs.c +--- old/src/lib/kadm5/clnt/clnt_privs.c ++++ new/src/lib/kadm5/clnt/clnt_privs.c +@@ -7,7 +7,7 @@ + * + */ + +-#include ++#include + #include + #include + #include "client_internal.h" +diff -pur old/src/lib/kadm5/deps new/src/lib/kadm5/deps +--- old/src/lib/kadm5/deps ++++ new/src/lib/kadm5/deps +@@ -90,6 +90,20 @@ str_conv.so str_conv.po $(OUTPRE)str_con + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h admin_internal.h \ + str_conv.c ++kadm_host_srv_names.so kadm_host_srv_names.po $(OUTPRE)kadm_host_srv_names.$(OBJEXT): \ ++ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ ++ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ ++ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ ++ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb5/os/os-proto.h \ ++ $(top_srcdir)/include/fake-addrinfo.h $(top_srcdir)/include/k5-buf.h \ ++ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ ++ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ ++ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ ++ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ ++ $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ ++ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ ++ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ ++ $(top_srcdir)/include/socket-utils.h admin.h kadm_host_srv_names.c + logger.so logger.po $(OUTPRE)logger.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h \ +diff -pur old/src/lib/kadm5/kadm_rpc.h new/src/lib/kadm5/kadm_rpc.h +--- old/src/lib/kadm5/kadm_rpc.h ++++ new/src/lib/kadm5/kadm_rpc.h +@@ -2,7 +2,7 @@ + #ifndef __KADM_RPC_H__ + #define __KADM_RPC_H__ + +-#include ++#include + + #include + #include +@@ -345,5 +345,8 @@ extern bool_t xdr_gstrings_ret (); + extern bool_t xdr_sstring_arg (); + extern bool_t xdr_krb5_string_attr (); + ++/* Solaris libc doesn't define 32 bit version of xdr_int and xdr_u_int */ ++#define xdr_int32 xdr_int ++#define xdr_u_int32 xdr_u_int + + #endif /* __KADM_RPC_H__ */ +diff -pur old/src/lib/kadm5/kadm_rpc_xdr.c new/src/lib/kadm5/kadm_rpc_xdr.c +--- old/src/lib/kadm5/kadm_rpc_xdr.c ++++ new/src/lib/kadm5/kadm_rpc_xdr.c +@@ -3,7 +3,7 @@ + * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved + */ + +-#include ++#include + #include + #include + #include +diff -pur old/src/lib/kadm5/server_internal.h new/src/lib/kadm5/server_internal.h +--- old/src/lib/kadm5/server_internal.h ++++ new/src/lib/kadm5/server_internal.h +@@ -257,4 +257,8 @@ k5_kadm5_hook_remove (krb5_context conte + + /** @}*/ + ++/* Solaris Kerberos: symbols available in libkadm5srv_mit */ ++extern void xdralloc_create(XDR *xdrs, enum xdr_op op); ++extern caddr_t xdralloc_getdata(XDR *xdrs); ++ + #endif /* __KADM5_SERVER_INTERNAL_H__ */ +diff -pur old/src/lib/kadm5/srv/Makefile.in new/src/lib/kadm5/srv/Makefile.in +--- old/src/lib/kadm5/srv/Makefile.in ++++ new/src/lib/kadm5/srv/Makefile.in +@@ -14,13 +14,12 @@ LIBMINOR=0 + STOBJLISTS=../OBJS.ST OBJS.ST + + SHLIB_EXPDEPS=\ +- $(TOPLIBD)/libgssrpc$(SHLIBEXT) \ + $(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \ + $(TOPLIBD)/libkdb5$(SHLIBEXT) \ + $(TOPLIBD)/libkrb5$(SHLIBEXT) \ + $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ + $(COM_ERR_DEPLIB) $(SUPPORT_LIBDEP) +-SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \ ++SHLIB_EXPLIBS = -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \ + -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err @GEN_LIB@ $(LIBS) + RELDIR=kadm5/srv + +@@ -38,6 +37,8 @@ SRCS = $(srcdir)/pwqual.c \ + $(srcdir)/server_init.c \ + $(srcdir)/svr_iters.c \ + $(srcdir)/svr_chpass_util.c \ ++ $(srcdir)/xdr_alloc.c \ ++ $(srcdir)/dyn.c \ + $(srcdir)/adb_xdr.c + + OBJS = pwqual.$(OBJEXT) \ +@@ -54,6 +55,8 @@ OBJS = pwqual.$(OBJEXT) \ + server_init.$(OBJEXT) \ + svr_iters.$(OBJEXT) \ + svr_chpass_util.$(OBJEXT) \ ++ xdr_alloc.$(OBJEXT) \ ++ dyn.$(OBJEXT) \ + adb_xdr.$(OBJEXT) + + STLIBOBJS = \ +@@ -71,6 +74,8 @@ STLIBOBJS = \ + server_init.o \ + svr_iters.o \ + svr_chpass_util.o \ ++ xdr_alloc.o \ ++ dyn.o \ + adb_xdr.o + + all-unix:: includes +diff -pur old/src/lib/kadm5/srv/adb_xdr.c new/src/lib/kadm5/srv/adb_xdr.c +--- old/src/lib/kadm5/srv/adb_xdr.c ++++ new/src/lib/kadm5/srv/adb_xdr.c +@@ -7,7 +7,7 @@ + + #include + #include +-#include ++#include + #include "server_internal.h" + #include "admin_xdr.h" + #ifdef HAVE_MEMORY_H +diff -pur old/src/lib/kadm5/srv/server_init.c new/src/lib/kadm5/srv/server_init.c +--- old/src/lib/kadm5/srv/server_init.c ++++ new/src/lib/kadm5/srv/server_init.c +@@ -233,8 +233,7 @@ kadm5_ret_t kadm5_init(krb5_context cont + + #define IPROP_REQUIRED_PARAMS \ + (KADM5_CONFIG_IPROP_ENABLED | \ +- KADM5_CONFIG_IPROP_LOGFILE | \ +- KADM5_CONFIG_IPROP_PORT) ++ KADM5_CONFIG_IPROP_LOGFILE) + + if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { + free_db_args(handle); +diff -pur old/src/lib/kdb/Makefile.in new/src/lib/kdb/Makefile.in +--- old/src/lib/kdb/Makefile.in ++++ new/src/lib/kdb/Makefile.in +@@ -14,9 +14,8 @@ RELDIR=kdb + + SHLIB_EXPDEPS = \ + $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ +- $(TOPLIBD)/libgssrpc$(SHLIBEXT) \ + $(TOPLIBD)/libkrb5$(SHLIBEXT) +-SHLIB_EXPLIBS=-lgssrpc -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(DL_LIB) $(LIBS) ++SHLIB_EXPLIBS= -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(DL_LIB) $(LIBS) + + adb_err.$(OBJEXT): adb_err.c + adb_err.c adb_err.h: $(srcdir)/adb_err.et +diff -pur old/src/lib/kdb/iprop_xdr.c new/src/lib/kdb/iprop_xdr.c +--- old/src/lib/kdb/iprop_xdr.c ++++ new/src/lib/kdb/iprop_xdr.c +@@ -9,6 +9,7 @@ + #pragma GCC diagnostic ignored "-Wunused-variable" + #endif + ++#if 0 + static bool_t + xdr_int16_t (XDR *xdrs, int16_t *objp) + { +@@ -38,6 +39,7 @@ xdr_uint32_t (XDR *xdrs, uint32_t *objp) + return FALSE; + return TRUE; + } ++#endif + + bool_t + xdr_utf8str_t (XDR *xdrs, utf8str_t *objp) +diff -pur old/src/lib/krb5/os/changepw.c new/src/lib/krb5/os/changepw.c +--- old/src/lib/krb5/os/changepw.c ++++ new/src/lib/krb5/os/changepw.c +@@ -57,7 +57,7 @@ struct sendto_callback_context { + * Wrapper function for the two backends + */ + +-static krb5_error_code ++krb5_error_code + locate_kpasswd(krb5_context context, const krb5_data *realm, + struct serverlist *serverlist, krb5_boolean no_udp) + { +diff -pur old/src/lib/krb5/os/locate_kdc.c new/src/lib/krb5/os/locate_kdc.c +--- old/src/lib/krb5/os/locate_kdc.c ++++ new/src/lib/krb5/os/locate_kdc.c +@@ -675,6 +675,14 @@ k5_locate_kdc(krb5_context context, cons + return k5_locate_server(context, realm, serverlist, stype, no_udp); + } + ++krb5_error_code ++k5_locate_kadmin(krb5_context context, const krb5_data *realm, ++ struct serverlist *serverlist) ++{ ++ return k5_locate_server(context, realm, serverlist, locate_service_kadmin, ++ 1); ++} ++ + krb5_boolean + k5_kdc_is_master(krb5_context context, const krb5_data *realm, + struct server_entry *server) +diff -pur old/src/lib/rpc/xdr_alloc.c new/src/lib/rpc/xdr_alloc.c +--- old/src/lib/rpc/xdr_alloc.c ++++ new/src/lib/rpc/xdr_alloc.c +@@ -35,18 +35,23 @@ + * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. + */ + +-#include +-#include ++#include ++#include ++#include ++#include + #include "dyn.h" + + static bool_t xdralloc_putlong(XDR *, long *); +-static bool_t xdralloc_putbytes(XDR *, caddr_t, unsigned int); ++static bool_t xdralloc_putbytes(XDR *, caddr_t, int); + static unsigned int xdralloc_getpos(XDR *); + static rpc_inline_t * xdralloc_inline(XDR *, int); + static void xdralloc_destroy(XDR *); ++static bool_t xdralloc_putint32(XDR *, int32_t *); + static bool_t xdralloc_notsup_getlong(XDR *, long *); +-static bool_t xdralloc_notsup_getbytes(XDR *, caddr_t, unsigned int); ++static bool_t xdralloc_notsup_getbytes(XDR *, caddr_t, int); + static bool_t xdralloc_notsup_setpos(XDR *, unsigned int); ++static bool_t xdralloc_notsup_getint32(XDR *, int32_t *); ++static bool_t xdralloc_notsup_control(XDR *, int, void *); + static struct xdr_ops xdralloc_ops = { + xdralloc_notsup_getlong, + xdralloc_putlong, +@@ -56,6 +61,11 @@ static struct xdr_ops xdralloc_ops = { + xdralloc_notsup_setpos, + xdralloc_inline, + xdralloc_destroy, ++ xdralloc_notsup_control, ++#if defined(_LP64) ++ xdralloc_notsup_getint32, ++ xdralloc_putint32, ++#endif + }; + + /* +@@ -96,7 +106,12 @@ static bool_t xdralloc_putlong( + register XDR *xdrs, + long *lp) + { +- int l = htonl((uint32_t) *lp); /* XXX need bounds checking */ ++#if defined(_LP64) ++ if ((*lp > INT32_MAX) || (*lp < INT32_MIN)) ++ return FALSE; ++#endif ++ ++ int l = htonl((uint32_t) *lp); + + /* XXX assumes sizeof(int)==4 */ + if (DynInsert((DynObject) xdrs->x_private, +@@ -106,11 +121,33 @@ static bool_t xdralloc_putlong( + return (TRUE); + } + ++#if defined(_LP64) ++static bool_t xdralloc_notsup_getint32( ++ register XDR *xdrs, ++ int32_t *lp) ++{ ++ return FALSE; ++} ++ ++static bool_t xdralloc_putint32( ++ register XDR *xdrs, ++ int32_t *lp) ++{ ++ int l = htonl((uint32_t) *lp); ++ ++ /* XXX assumes sizeof(int)==4 */ ++ if (DynInsert((DynObject) xdrs->x_private, ++ DynSize((DynObject) xdrs->x_private), &l, ++ sizeof(int)) != DYN_OK) ++ return FALSE; ++ return (TRUE); ++} ++#endif + + static bool_t xdralloc_notsup_getbytes( + register XDR *xdrs, + caddr_t addr, +- register unsigned int len) ++ register int len) + { + return FALSE; + } +@@ -119,7 +156,7 @@ static bool_t xdralloc_notsup_getbytes( + static bool_t xdralloc_putbytes( + register XDR *xdrs, + caddr_t addr, +- register unsigned int len) ++ register int len) + { + if (DynInsert((DynObject) xdrs->x_private, + DynSize((DynObject) xdrs->x_private), +@@ -148,3 +185,10 @@ static rpc_inline_t *xdralloc_inline( + { + return (rpc_inline_t *) 0; + } ++ ++static bool_t xdralloc_notsup_control(XDR *xdrs, ++ int request, ++ void *info) ++{ ++ return FALSE; ++} +diff -pur old/src/plugins/kdb/db2/adb_policy.c new/src/plugins/kdb/db2/adb_policy.c +--- old/src/plugins/kdb/db2/adb_policy.c ++++ new/src/plugins/kdb/db2/adb_policy.c +@@ -28,6 +28,9 @@ + return cl_ret; \ + } + ++/* Solaris Kerberos: symbols available from libkadm5srv_mit */ ++extern void xdralloc_create(XDR *, enum xdr_op); ++extern caddr_t xdralloc_getdata(XDR *); + + /* + * Function: osa_adb_create_policy +diff -pur old/src/plugins/kdb/db2/pol_xdr.c new/src/plugins/kdb/db2/pol_xdr.c +--- old/src/plugins/kdb/db2/pol_xdr.c ++++ new/src/plugins/kdb/db2/pol_xdr.c +@@ -1,6 +1,6 @@ + #include + #include +-#include ++#include + #include + #include + #include "policy_db.h" +diff -pur old/src/plugins/kdb/db2/policy_db.h new/src/plugins/kdb/db2/policy_db.h +--- old/src/plugins/kdb/db2/policy_db.h ++++ new/src/plugins/kdb/db2/policy_db.h +@@ -28,8 +28,8 @@ + + A better fix might be for db.h to include netinet/in.h if that's + where we find u_int32_t. */ +-#include +-#include ++#include ++#include + #include + #include "adb_err.h" + #include +diff -pur old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c +--- old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c ++++ new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c +@@ -3,6 +3,10 @@ + #include "princ_xdr.h" + #include + ++/* Solaris Kerberos: symbols available from libkadm5srv_mit*/ ++extern void xdralloc_create(XDR *, enum xdr_op); ++extern caddr_t xdralloc_getdata(XDR *); ++ + bool_t + ldap_xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp) + { +diff -pur old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h +--- old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h ++++ new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h +@@ -4,7 +4,7 @@ + #include + #include + #include +-#include ++#include + + #ifdef HAVE_MEMORY_H + #include +diff -pur old/src/slave/kpropd.c new/src/slave/kpropd.c +--- old/src/slave/kpropd.c ++++ new/src/slave/kpropd.c +@@ -584,7 +584,7 @@ full_resync(CLIENT *clnt) + + memset(&clnt_res, 0, sizeof(clnt_res)); + +- status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int32, ++ status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int, + (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t, + (caddr_t)&clnt_res, full_resync_timeout); + if (status == RPC_PROCUNAVAIL) { +diff -pur old/src/tests/misc/Makefile.in new/src/tests/misc/Makefile.in +--- old/src/tests/misc/Makefile.in ++++ new/src/tests/misc/Makefile.in +@@ -12,18 +12,16 @@ SRCS=\ + $(srcdir)/test_cxx_krb5.cpp \ + $(srcdir)/test_cxx_k5int.cpp \ + $(srcdir)/test_cxx_gss.cpp \ +- $(srcdir)/test_cxx_rpc.cpp \ + $(srcdir)/test_cxx_kadm5.cpp + + all:: test_getpw test_chpw_message + +-check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int test_cxx_kadm5 ++check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 + $(RUN_SETUP) $(VALGRIND) ./test_getpw + $(RUN_SETUP) $(VALGRIND) ./test_chpw_message + $(RUN_SETUP) $(VALGRIND) ./test_cxx_krb5 + $(RUN_SETUP) $(VALGRIND) ./test_cxx_k5int + $(RUN_SETUP) $(VALGRIND) ./test_cxx_gss +- $(RUN_SETUP) $(VALGRIND) ./test_cxx_rpc + $(RUN_SETUP) $(VALGRIND) ./test_cxx_kadm5 + + test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB) +@@ -41,18 +39,15 @@ test_cxx_k5int: $(OUTPRE)test_cxx_k5int. + $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_k5int $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS) + test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT) + $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_gss $(OUTPRE)test_cxx_gss.$(OBJEXT) $(LIBS) +-test_cxx_rpc: $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_DEPLIBS) +- $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_rpc $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_LIBS) $(KRB5_BASE_LIBS) $(LIBS) + test_cxx_kadm5: $(OUTPRE)test_cxx_kadm5.$(OBJEXT) $(KADMCLNT_DEPLIBS) + $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_kadm5 $(OUTPRE)test_cxx_kadm5.$(OBJEXT) $(KADMCLNT_LIBS) $(KRB5_BASE_LIBS) $(LIBS) + + test_cxx_krb5.$(OBJEXT): test_cxx_krb5.cpp + test_cxx_gss.$(OBJEXT): test_cxx_gss.cpp +-test_cxx_rpc.$(OBJEXT): test_cxx_rpc.cpp + test_cxx_kadm5.$(OBJEXT): test_cxx_kadm5.cpp + + install:: + + clean:: +- $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_rpc test_cxx_kadm5 *.o ++ $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 *.o + +diff -pur old/src/tests/t_iprop.py new/src/tests/t_iprop.py +--- old/src/tests/t_iprop.py ++++ new/src/tests/t_iprop.py +@@ -1,50 +1,35 @@ + #!/usr/bin/python + + import os +-import re + + from k5test import * + + # Read lines from kpropd output until we are synchronized. Error if + # full_expected is true and we didn't see a full propagation or vice + # versa. +-def wait_for_prop(kpropd, full_expected, expected_old, expected_new): ++def wait_for_prop(kpropd, full_expected): + output('*** Waiting for sync from kpropd\n') +- full_seen = sleep_seen = prodded_after_dump = False +- old_sno = new_sno = -1 ++ full_seen = False + while True: + line = kpropd.stdout.readline() + if line == '': + fail('kpropd process exited unexpectedly') + output('kpropd: ' + line) + +- m = re.match(r'Calling iprop_get_updates_1 \(sno=(\d+) ', line) +- if m: +- if not full_seen: +- old_sno = int(m.group(1)) +- # Also record this as the new sno, in case we get back +- # UPDATE_NIL. +- new_sno = int(m.group(1)) +- +- m = re.match(r'Got incremental updates \(sno=(\d+) ', line) +- if m: +- new_sno = int(m.group(1)) +- + if 'KDC is synchronized' in line or 'Incremental updates:' in line: +- break ++ output('*** Sync complete\n') ++ if full_expected and not full_seen: ++ fail('Expected full dump but saw only incremental') ++ if full_seen and not full_expected: ++ fail('Expected incremental prop but saw full dump') ++ return + +- # After a full resync request, these lines could appear in +- # either order. +- if 'Waiting for' in line: +- sleep_seen = True + if 'load process for full propagation completed' in line: + full_seen = True +- if sleep_seen and full_seen and not prodded_after_dump: +- # Prod the kpropd parent into getting incrementals after +- # it finishes a DB load. This will be unnecessary if +- # kpropd is simplified to use a single process. ++ # kpropd's child process has finished a DB load; make the parent ++ # do another iprop request. This will be unnecessary if kpropd ++ # is simplified to use a single process. + kpropd.send_signal(signal.SIGUSR1) +- prodded_after_dump = True + + # Detect some failure conditions. + if 'Still waiting for full resync' in line: +@@ -60,92 +45,28 @@ def wait_for_prop(kpropd, full_expected, + if 'invalid return' in line: + fail('kadmind returned invalid result') + +- if full_expected and not full_seen: +- fail('Expected full dump but saw only incremental') +- if full_seen and not full_expected: +- fail('Expected incremental prop but saw full dump') +- if old_sno != expected_old: +- fail('Expected old serial %d from kpropd sync' % expected_old) +- if new_sno != expected_new: +- fail('Expected new serial %d from kpropd sync' % expected_new) +- +- # Wait until kpropd is sleeping before continuing, to avoid races. +- # (This is imperfect since there's there is a short window between +- # the fprintf and the sleep; kpropd will need design changes to +- # fix that.) +- while True: +- line = kpropd.stdout.readline() +- output('kpropd: ' + line) +- if 'Waiting for' in line: +- break +- output('*** Sync complete\n') +- +-# Verify the output of kproplog against the expected number of +-# entries, first and last serial number, and a list of principal names +-# for the update entrires. +-def check_ulog(num, first, last, entries, env=None): +- out = realm.run([kproplog], env=env) +- if 'Number of entries : ' + str(num) + '\n' not in out: +- fail('Expected %d entries' % num) +- if last: +- firststr = first and str(first) or 'None' +- if 'First serial # : ' + firststr + '\n' not in out: +- fail('Expected first serial number %d' % first) +- laststr = last and str(last) or 'None' +- if 'Last serial # : ' + laststr + '\n' not in out: +- fail('Expected last serial number %d' % last) +- assert(len(entries) == num) +- ser = first - 1 +- entindex = 0 +- for line in out.splitlines(): +- m = re.match(r'\tUpdate serial # : (\d+)$', line) +- if m: +- ser = ser + 1 +- if m.group(1) != str(ser): +- fail('Expected serial number %d in update entry' % ser) +- m = re.match(r'\tUpdate principal : (.*)$', line) +- if m: +- eprinc = entries[ser - first] +- if m.group(1) != eprinc: +- fail('Expected princ %s in update entry %d' % (eprinc, ser)) +- +-# slave1 will receive updates from master, and slave2 will receive +-# updates from slave1. Because of the awkward way iprop and kprop +-# port configuration currently works, we need separate config files +-# for the slave and master sides of slave1, but they use the same DB +-# and ulog file. +-conf = {'realms': {'$realm': {'iprop_enable': 'true', +- 'iprop_logfile': '$testdir/db.ulog'}}} +-conf_slave1 = {'realms': {'$realm': {'iprop_slave_poll': '600', +- 'iprop_logfile': '$testdir/ulog.slave1'}}, +- 'dbmodules': {'db': {'database_name': '$testdir/db.slave1'}}} +-conf_slave1m = {'realms': {'$realm': {'iprop_logfile': '$testdir/ulog.slave1', +- 'iprop_port': '$port8'}}, +- 'dbmodules': {'db': {'database_name': '$testdir/db.slave1'}}} +-conf_slave2 = {'realms': {'$realm': {'iprop_slave_poll': '600', +- 'iprop_logfile': '$testdir/ulog.slave2', +- 'iprop_port': '$port8'}}, +- 'dbmodules': {'db': {'database_name': '$testdir/db.slave2'}}} + +-realm = K5Realm(kdc_conf=conf, create_user=False, start_kadmind=True) +-slave1 = realm.special_env('slave1', True, kdc_conf=conf_slave1) +-slave1m = realm.special_env('slave1m', True, kdc_conf=conf_slave1m) +-slave2 = realm.special_env('slave2', True, kdc_conf=conf_slave2) +- +-# Define some principal names. pr3 is long enough to cause internal +-# reallocs, but not long enough to grow the basic ulog entry size. +-pr1 = 'wakawaka@' + realm.realm +-pr2 = 'w@' + realm.realm +-c = 'chocolate-flavored-school-bus' +-cs = c + '/' +-pr3 = (cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c + +- '@' + realm.realm) ++# Verify the iprop log last serial number against an expected value, ++# on either the master or slave. ++def check_serial(realm, expected, env=None): ++ out = realm.run([kproplog, '-h'], env=env) ++ if 'Last serial # : ' not in out: ++ fail('Unexpected serial number') ++ ++ ++conf = { ++ 'realms': {'$realm': { ++ 'iprop_enable': 'true', ++ 'iprop_logfile' : '$testdir/db.ulog'}}} ++ ++conf_slave = { ++ 'realms': {'$realm': { ++ 'iprop_slave_poll': '600', ++ 'iprop_logfile' : '$testdir/db.slave.ulog'}}, ++ 'dbmodules': {'db': {'database_name': '$testdir/db.slave'}}} + +-# Create the kpropd ACL file. +-acl_file = os.path.join(realm.testdir, 'kpropd-acl') +-acl = open(acl_file, 'w') +-acl.write(realm.host_princ + '\n') +-acl.close() ++realm = K5Realm(kdc_conf=conf, create_user=False, start_kadmind=True) ++slave = realm.special_env('slave', True, kdc_conf=conf_slave) + + ulog = os.path.join(realm.testdir, 'db.ulog') + if not os.path.exists(ulog): +@@ -153,209 +74,117 @@ if not os.path.exists(ulog): + + # Create the principal used to authenticate kpropd to kadmind. + kiprop_princ = 'kiprop/' + hostname ++realm.addprinc(kiprop_princ) + realm.extract_keytab(kiprop_princ, realm.keytab) + +-# Create the initial slave1 and slave2 databases. ++# Create the slave db. + dumpfile = os.path.join(realm.testdir, 'dump') + realm.run([kdb5_util, 'dump', dumpfile]) +-realm.run([kdb5_util, 'load', dumpfile], slave1) +-realm.run([kdb5_util, 'load', dumpfile], slave2) ++realm.run([kdb5_util, 'load', dumpfile], slave) ++realm.run([kdb5_util, 'stash', '-P', 'master'], slave) + +-# Reinitialize the master ulog so we know exactly what to expect in +-# it. +-realm.run([kproplog, '-R']) +-check_ulog(0, 0, 0, []) ++# Make some changes to the master db. ++realm.addprinc('wakawaka') ++# Add a principal enough to make realloc likely, but not enough to grow ++# basic ulog entry size. ++c = 'chocolate-flavored-school-bus' ++cs = c + '/' ++longname = cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c ++realm.addprinc(longname) ++realm.addprinc('w') ++realm.run_kadminl('modprinc -allow_tix w') ++realm.run_kadminl('modprinc +allow_tix w') + +-# Make some changes to the master DB. +-realm.addprinc(pr1) +-realm.addprinc(pr3) +-realm.addprinc(pr2) +-realm.run_kadminl('modprinc -allow_tix ' + pr2) +-realm.run_kadminl('modprinc +allow_tix ' + pr2) +-check_ulog(5, 1, 5, [pr1, pr3, pr2, pr2, pr2]) +- +-# Start kpropd for slave1 and get a full dump from master. +-kpropd1 = realm.start_kpropd(slave1, ['-d']) +-wait_for_prop(kpropd1, True, 0, 5) +-out = realm.run_kadminl('listprincs', slave1) +-if pr1 not in out or pr2 not in out or pr3 not in out: +- fail('slave1 does not have all principals from master') +-check_ulog(0, 0, 5, [], slave1) ++check_serial(realm, '7') ++ ++# Set up the kpropd acl file. ++acl_file = os.path.join(realm.testdir, 'kpropd-acl') ++acl = open(acl_file, 'w') ++acl.write(realm.host_princ + '\n') ++acl.close() ++ ++# Start kpropd and get a full dump from master. ++kpropd = realm.start_kpropd(slave, ['-d']) ++wait_for_prop(kpropd, True) ++out = realm.run_kadminl('listprincs', slave) ++if longname not in out or 'wakawaka' not in out or 'w@' not in out: ++ fail('Slave does not have all principals from master') + + # Make a change and check that it propagates incrementally. +-realm.run_kadminl('modprinc -allow_tix ' + pr2) +-check_ulog(6, 1, 6, [pr1, pr3, pr2, pr2, pr2, pr2]) +-kpropd1.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd1, False, 5, 6) +-check_ulog(1, 6, 6, [pr2], slave1) +-out = realm.run_kadminl('getprinc ' + pr2, slave1) ++realm.run_kadminl('modprinc -allow_tix w') ++check_serial(realm, '8') ++kpropd.send_signal(signal.SIGUSR1) ++wait_for_prop(kpropd, False) ++check_serial(realm, '8', slave) ++out = realm.run_kadminl('getprinc w', slave) + if 'Attributes: DISALLOW_ALL_TIX' not in out: +- fail('slave1 does not have modification from master') ++ fail('Slave does not have modification from master') + +-# Start kadmind -proponly for slave1. (Use the slave1m environment +-# which defines iprop_port to $port8.) +-slave1_out_dump_path = os.path.join(realm.testdir, 'dump.slave1.out') +-slave2_in_dump_path = os.path.join(realm.testdir, 'dump.slave2.in') +-slave2_kprop_port = str(realm.portbase + 9) +-slave1m['KPROP_PORT'] = slave2_kprop_port +-realm.start_server([kadmind, '-nofork', '-proponly', '-W', '-p', kdb5_util, +- '-K', kprop, '-F', slave1_out_dump_path], 'starting...', +- slave1m) +- +-# Start kpropd for slave2. The -A option isn't needed since we're +-# talking to the same host as master (we specify it anyway to exercise +-# the code), but slave2 defines iprop_port to $port8 so it will talk +-# to slave1. Get a full dump from slave1. +-kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P', slave2_kprop_port, +- '-f', slave2_in_dump_path, '-p', kdb5_util, +- '-a', acl_file, '-A', hostname], 'ready', slave2) +-wait_for_prop(kpropd2, True, 0, 6) +-check_ulog(0, 0, 6, [], slave2) +-out = realm.run_kadminl('listprincs', slave1) +-if pr1 not in out or pr2 not in out or pr3 not in out: +- fail('slave2 does not have all principals from slave1') +- +-# Make another change and check that it propagates incrementally to +-# both slaves. +-realm.run_kadminl('modprinc -maxrenewlife "22 hours" ' + pr1) +-check_ulog(7, 1, 7, [pr1, pr3, pr2, pr2, pr2, pr2, pr1]) +-kpropd1.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd1, False, 6, 7) +-check_ulog(2, 6, 7, [pr2, pr1], slave1) +-out = realm.run_kadminl('getprinc ' + pr1, slave1) +-if 'Maximum renewable life: 0 days 22:00:00\n' not in out: +- fail('slave1 does not have modification from master') +-kpropd2.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd2, False, 6, 7) +-check_ulog(1, 7, 7, [pr1], slave2) +-out = realm.run_kadminl('getprinc ' + pr1, slave2) +-if 'Maximum renewable life: 0 days 22:00:00\n' not in out: +- fail('slave2 does not have modification from slave1') +- +-# Reset the ulog on slave1 to force a full resync from master. The +-# resync will use the old dump file and then propagate changes. +-# slave2 should still be in sync with slave1 after the resync, so make +-# sure it doesn't take a full resync. +-realm.run([kproplog, '-R'], slave1) +-check_ulog(0, 0, 0, [], slave1) +-kpropd1.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd1, True, 0, 7) +-check_ulog(2, 6, 7, [pr2, pr1], slave1) +-kpropd2.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd2, False, 7, 7) +-check_ulog(1, 7, 7, [pr1], slave2) +- +-# Make another change and check that it propagates incrementally to +-# both slaves. ++# Make another change and check that it propagates incrementally. + realm.run_kadminl('modprinc +allow_tix w') +-check_ulog(8, 1, 8, [pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2]) +-kpropd1.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd1, False, 7, 8) +-check_ulog(3, 6, 8, [pr2, pr1, pr2], slave1) +-out = realm.run_kadminl('getprinc ' + pr2, slave1) ++check_serial(realm, '9') ++kpropd.send_signal(signal.SIGUSR1) ++wait_for_prop(kpropd, False) ++check_serial(realm, '9', slave) ++out = realm.run_kadminl('getprinc w', slave) + if 'Attributes:\n' not in out: +- fail('slave1 does not have modification from master') +-kpropd2.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd2, False, 7, 8) +-check_ulog(2, 7, 8, [pr1, pr2], slave2) +-out = realm.run_kadminl('getprinc ' + pr2, slave2) ++ fail('Slave does not have modification from master') ++ ++# Reset the ulog on the slave side to force a full resync to the slave. ++realm.run([kproplog, '-R'], slave) ++check_serial(realm, 'None', slave) ++kpropd.send_signal(signal.SIGUSR1) ++wait_for_prop(kpropd, True) ++check_serial(realm, '9', slave) ++ ++# Make another change and check that it propagates incrementally. ++realm.run_kadminl('modprinc +allow_tix w') ++check_serial(realm, '10') ++kpropd.send_signal(signal.SIGUSR1) ++wait_for_prop(kpropd, False) ++check_serial(realm, '10', slave) ++out = realm.run_kadminl('getprinc w', slave) + if 'Attributes:\n' not in out: +- fail('slave2 does not have modification from slave1') ++ fail('Slave has different state from master') + + # Create a policy and check that it propagates via full resync. + realm.run_kadminl('addpol -minclasses 2 testpol') +-check_ulog(0, 0, 0, []) +-kpropd1.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd1, True, 8, 0) +-check_ulog(0, 0, 0, [], slave1) +-out = realm.run_kadminl('getpol testpol', slave1) ++check_serial(realm, 'None') ++kpropd.send_signal(signal.SIGUSR1) ++wait_for_prop(kpropd, True) ++check_serial(realm, 'None', slave) ++out = realm.run_kadminl('getpol testpol', slave) + if 'Minimum number of password character classes: 2' not in out: +- fail('slave1 does not have policy from master') +-kpropd2.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd2, True, 8, 0) +-check_ulog(0, 0, 0, [], slave2) +-out = realm.run_kadminl('getpol testpol', slave2) +-if 'Minimum number of password character classes: 2' not in out: +- fail('slave2 does not have policy from slave1') ++ fail('Slave does not have policy from master') + + # Modify the policy and test that it also propagates via full resync. + realm.run_kadminl('modpol -minlength 17 testpol') +-check_ulog(0, 0, 0, []) +-kpropd1.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd1, True, 0, 0) +-check_ulog(0, 0, 0, [], slave1) +-out = realm.run_kadminl('getpol testpol', slave1) +-if 'Minimum password length: 17' not in out: +- fail('slave1 does not have policy change from master') +-kpropd2.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd2, True, 0, 0) +-check_ulog(0, 0, 0, [], slave2) +-out = realm.run_kadminl('getpol testpol', slave2) ++check_serial(realm, 'None') ++kpropd.send_signal(signal.SIGUSR1) ++wait_for_prop(kpropd, True) ++check_serial(realm, 'None', slave) ++out = realm.run_kadminl('getpol testpol', slave) + if 'Minimum password length: 17' not in out: +- fail('slave2 does not have policy change from slave1') ++ fail('Slave does not have policy change from master') + + # Delete the policy and test that it propagates via full resync. + realm.run_kadminl('delpol -force testpol') +-check_ulog(0, 0, 0, []) +-kpropd1.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd1, True, 0, 0) +-check_ulog(0, 0, 0, [], slave1) +-out = realm.run_kadminl('getpol testpol', slave1) ++check_serial(realm, 'None') ++kpropd.send_signal(signal.SIGUSR1) ++wait_for_prop(kpropd, True) ++check_serial(realm, 'None', slave) ++out = realm.run_kadminl('getpol testpol', slave) + if 'Policy does not exist' not in out: +- fail('slave1 did not get policy deletion from master') +-kpropd2.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd2, True, 0, 0) +-check_ulog(0, 0, 0, [], slave2) +-out = realm.run_kadminl('getpol testpol', slave2) +-if 'Policy does not exist' not in out: +- fail('slave2 did not get policy deletion from slave1') +- +-# Modify a principal on the master and test that it propagates via +-# full resync. (The master's ulog does not remember the timestamp it +-# had at serial number 0, so it does not know that an incremental +-# propagation is possible.) +-realm.run_kadminl('modprinc -maxlife "10 minutes" ' + pr1) +-check_ulog(1, 1, 1, [pr1]) +-kpropd1.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd1, True, 0, 1) +-check_ulog(0, 0, 1, [], slave1) +-out = realm.run_kadminl('getprinc ' + pr1, slave1) +-if 'Maximum ticket life: 0 days 00:10:00' not in out: +- fail('slave1 does not have modification from master') +-kpropd2.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd2, True, 0, 1) +-check_ulog(0, 0, 1, [], slave2) +-out = realm.run_kadminl('getprinc ' + pr1, slave2) +-if 'Maximum ticket life: 0 days 00:10:00' not in out: +- fail('slave2 does not have modification from slave1') +- +-# Delete a principal and test that it propagates incrementally to +-# slave1. slave2 needs another full resync because slave1 no longer +-# has serial number 1 in its ulog after processing its first +-# incremental update. +-realm.run_kadminl('delprinc -force ' + pr3) +-check_ulog(2, 1, 2, [pr1, pr3]) +-kpropd1.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd1, False, 1, 2) +-check_ulog(1, 2, 2, [pr3], slave1) +-out = realm.run_kadminl('getprinc ' + pr3, slave1) +-if 'Principal does not exist' not in out: +- fail('slave1 does not have principal deletion from master') +-kpropd2.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd2, True, 1, 2) +-check_ulog(0, 0, 2, [], slave2) +-out = realm.run_kadminl('getprinc ' + pr3, slave2) +-if 'Principal does not exist' not in out: +- fail('slave2 does not have principal deletion from slave1') ++ fail('Slave did not get policy deletion from master') + +-# Reset the ulog on the master to force a full resync. ++# Reset the ulog on the master side to force a full resync to all slaves. ++# XXX Note that we only have one slave in this test, so we can't really ++# test this. + realm.run([kproplog, '-R']) +-check_ulog(0, 0, 0, []) +-kpropd1.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd1, True, 2, 0) +-check_ulog(0, 0, 0, [], slave1) +-kpropd2.send_signal(signal.SIGUSR1) +-wait_for_prop(kpropd2, True, 2, 0) +-check_ulog(0, 0, 0, [], slave2) ++check_serial(realm, 'None') ++kpropd.send_signal(signal.SIGUSR1) ++wait_for_prop(kpropd, True) ++check_serial(realm, 'None', slave) + + success('iprop tests') ++ +diff -pur old/src/tests/t_kadmin_acl.py new/src/tests/t_kadmin_acl.py +--- old/src/tests/t_kadmin_acl.py ++++ new/src/tests/t_kadmin_acl.py +@@ -9,7 +9,7 @@ def make_client(name): + ccache = os.path.join(realm.testdir, + 'kadmin_ccache_' + name.replace('/', '_')) + realm.kinit(name, password(name), +- flags=['-S', 'kadmin/admin', '-c', ccache]) ++ flags=['-S', 'kadmin/' + hostname, '-c', ccache]) + return ccache + + def kadmin_as(client, query): +diff -pur old/src/util/gss-kernel-lib/Makefile.in new/src/util/gss-kernel-lib/Makefile.in +--- old/src/util/gss-kernel-lib/Makefile.in ++++ new/src/util/gss-kernel-lib/Makefile.in +@@ -7,7 +7,7 @@ ALL_CFLAGS=$(CPPFLAGS) $(CFLAGS) $(WARN_ + SHLIB_EXPDEPS = \ + $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ + $(TOPLIBD)/libkrb5$(SHLIBEXT) +-SHLIB_EXPLIBS=-lgssrpc -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(LIBS) ++SHLIB_EXPLIBS= -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(LIBS) + + SRCS= \ + k5seal.c \ +diff -pur old/src/util/k5test.py new/src/util/k5test.py +--- old/src/util/k5test.py ++++ new/src/util/k5test.py +@@ -972,7 +972,7 @@ class K5Realm(object): + princname = self.admin_princ + pw = password('admin') + return self.kinit(princname, pw, +- flags=['-S', 'kadmin/admin', ++ flags=['-S', 'kadmin/' + hostname, + '-c', self.kadmin_ccache] + flags) + + def run_kadmin(self, query, **keywords): diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/029-kadmin_disable_anonymity.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/029-kadmin_disable_anonymity.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,98 @@ +# +# Temporarily disable anonymity in kadmin (kadmin -n). +# +# This feature currently doesn't work with Solaris rpcsec_gss. +# Fails in gss_acquire_cred, because desired_name +# WELLKNOWN/ANONYMOUS@KRBTEST.COM != WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS +# +# The patch removes -n option from kadmin and its man pages and +# skips kadmin tests in t_pkinit.py. +# +# Support can be added later, if there is demand for it. +# This fix would need to either call gss_acquire_cred with empty desired name +# or disregard realm when matching desired name. +# Either way, rpcsec.so code would need to be adjusted too to accommodate this +# change. +# +# This patch is Solaris specific and not intented for upstream contribution. +# Patch source: in-house +# +diff -pur old/src/kadmin/cli/kadmin.c new/src/kadmin/cli/kadmin.c +--- old/src/kadmin/cli/kadmin.c 2015-02-11 19:16:43.000000000 -0800 ++++ new/src/kadmin/cli/kadmin.c 2015-03-05 07:53:41.131383214 -0800 +@@ -282,7 +282,7 @@ kadmin_startup(int argc, char *argv[]) + } + + while ((optchar = getopt(argc, argv, +- "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) { ++ "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) { + switch (optchar) { + case 'x': + db_args_size++; +diff -pur old/src/man/kadmin.man new/src/man/kadmin.man +--- old/src/man/kadmin.man 2015-02-11 19:16:43.000000000 -0800 ++++ new/src/man/kadmin.man 2015-03-05 07:59:17.166151676 -0800 +@@ -37,7 +37,7 @@ level margin: \\n[rst2man-indent\\n[rst2 + [\fB\-r\fP \fIrealm\fP] + [\fB\-p\fP \fIprincipal\fP] + [\fB\-q\fP \fIquery\fP] +-[[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP] ++[[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]] + [\fB\-w\fP \fIpassword\fP] + [\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]] + .sp +@@ -97,21 +97,6 @@ a password. In this case, the default p + Use \fIkeytab\fP to decrypt the KDC response. This can only be used + with the \fB\-k\fP option. + .TP +-.B \fB\-n\fP +-Requests anonymous processing. Two types of anonymous principals +-are supported. For fully anonymous Kerberos, configure PKINIT on +-the KDC and configure \fBpkinit_anchors\fP in the client\(aqs +-\fIkrb5.conf(5)\fP\&. Then use the \fB\-n\fP option with a principal +-of the form \fB@REALM\fP (an empty principal name followed by the +-at\-sign and a realm name). If permitted by the KDC, an anonymous +-ticket will be returned. A second form of anonymous tickets is +-supported; these realm\-exposed tickets hide the identity of the +-client but not the client\(aqs realm. For this mode, use \fBkinit +-\-n\fP with a normal principal name. If supported by the KDC, the +-principal (but not realm) will be replaced by the anonymous +-principal. As of release 1.8, the MIT Kerberos KDC only supports +-fully anonymous operation. +-.TP + .B \fB\-c\fP \fIcredentials_cache\fP + Use \fIcredentials_cache\fP as the credentials cache. The + cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP +diff -pur old/src/tests/t_pkinit.py new/src/tests/t_pkinit.py +--- old/src/tests/t_pkinit.py 2015-02-11 19:16:43.000000000 -0800 ++++ new/src/tests/t_pkinit.py 2015-03-05 09:09:09.690228292 -0800 +@@ -72,17 +72,18 @@ realm.klist('WELLKNOWN/ANONYMOUS@WELLKNO + realm.run([kvno, realm.host_princ]) + + # Test anonymous kadmin. +-f = open(os.path.join(realm.testdir, 'acl'), 'a') +-f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') +-f.close() +-realm.start_kadmind() +-out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd']) +-if 'created.' not in out: +- fail('Could not create principal with anonymous kadmin') +-out = realm.run([kadmin, '-n', '-q', 'getprinc testadd']) +-if "Operation requires ``get'' privilege" not in out: +- fail('Anonymous kadmin has too much privilege') +-realm.stop_kadmind() ++sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n"); ++#f = open(os.path.join(realm.testdir, 'acl'), 'a') ++#f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') ++#f.close() ++#realm.start_kadmind() ++#out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd']) ++#if 'created.' not in out: ++# fail('Could not create principal with anonymous kadmin') ++#out = realm.run([kadmin, '-n', '-q', 'getprinc testadd']) ++#if "Operation requires ``get'' privilege" not in out: ++# fail('Anonymous kadmin has too much privilege') ++#realm.stop_kadmind() + + # Test with anonymous restricted; FAST should work but kvno should fail. + r_env = realm.special_env('restrict', True, kdc_conf=restrictive_kdc_conf) diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/030-force_dns_hostname_canon.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/030-force_dns_hostname_canon.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,148 @@ +# +# Force DNS name resolution when canonicalizing hostbased principal names. +# +# This patch is to preserve old standing Solaris Kerberos behavior, +# where hostbased principal names are canonicalized exclusively using DNS +# lookups. NIS has been known to cause issues with hostname canonicalization. +# +# This patch is not meant for upstream contribution. +# Patch source: in-house +# +diff -pur old/src/lib/krb5/os/sn2princ.c new/src/lib/krb5/os/sn2princ.c +--- old/src/lib/krb5/os/sn2princ.c 2015-02-11 19:16:43.000000000 -0800 ++++ new/src/lib/krb5/os/sn2princ.c 2015-05-12 04:14:40.341673659 -0700 +@@ -39,6 +39,14 @@ + #define DEFAULT_RDNS_LOOKUP 1 + #endif + ++/* ++ * The following prototypes are needed because these are ++ * private interfaces that do not have prototypes in any .h ++ */ ++extern struct hostent *res_getipnodebyname(const char *, int, int, int *); ++extern struct hostent *res_getipnodebyaddr(const void *, size_t, int, int *); ++extern void res_freehostent(struct hostent *); ++ + static krb5_boolean + use_reverse_dns(krb5_context context) + { +@@ -53,6 +61,26 @@ use_reverse_dns(krb5_context context) + return value; + } + ++/* ++ * Translate getipnodeby* error codes to strings for coherent error messaging. ++ */ ++static const char * ++get_host_error(int err) ++{ ++ switch(err) { ++ case HOST_NOT_FOUND: ++ return "host not found"; ++ case NO_DATA: ++ return "no data record of requested type"; ++ case NO_RECOVERY: ++ return "non-recoverable error"; ++ case TRY_AGAIN: ++ return "host name lookup failure"; ++ default: ++ return "error unknown"; ++ } ++} ++ + /* Set *name_out to the canonicalized form of name, obeying relevant + * configuration settings. The caller must free the result. */ + static krb5_error_code +@@ -63,11 +91,15 @@ canon_hostname(krb5_context context, krb + char namebuf[NI_MAXHOST], *copy, *p; + int err; + const char *canonhost; ++ struct hostent *hp = NULL; ++ struct hostent *hp2 = NULL; ++ int addr_family; + + *canonhost_out = NULL; + + canonhost = host; + if (type == KRB5_NT_SRV_HST && context->dns_canonicalize_hostname) { ++#if 0 + /* Try a forward lookup of the hostname. */ + memset(&hint, 0, sizeof(hint)); + hint.ai_flags = AI_CANONNAME; +@@ -86,6 +118,31 @@ canon_hostname(krb5_context context, krb + if (!err) + canonhost = namebuf; + } ++#endif ++ /* using res_getipnodebyname to force dns name resolution*/ ++ addr_family = AF_INET; ++try_getipnodebyname_again: ++ hp = res_getipnodebyname(host, addr_family, 0, &err); ++ if (hp == NULL) { ++ if (addr_family == AF_INET) { ++ /* Just in case it's an IPv6-only name. */ ++ addr_family = AF_INET6; ++ goto try_getipnodebyname_again; ++ } ++ k5_setmsg(context, KRB5_ERR_BAD_HOSTNAME, ++ _("Hostname cannot be canonicalized for '%s': %s"), ++ host, get_host_error(err)); ++ return KRB5_ERR_BAD_HOSTNAME; ++ } ++ canonhost = hp->h_name; ++ ++ if (use_reverse_dns(context)) { ++ /* Try a reverse lookup of the address. */ ++ hp2 = res_getipnodebyaddr(hp->h_addr, hp->h_length, ++ hp->h_addrtype, &err); ++ if (hp2 != NULL) ++ canonhost = hp2->h_name; ++ } + } + + copy = strdup(canonhost); +@@ -110,9 +167,12 @@ canon_hostname(krb5_context context, krb + *canonhost_out = copy; + + cleanup: +- /* We only return success or ENOMEM. */ + if (ai != NULL) + freeaddrinfo(ai); ++ if (hp != NULL) ++ res_freehostent(hp); ++ if (hp2 != NULL) ++ res_freehostent(hp2); + return (*canonhost_out == NULL) ? ENOMEM : 0; + } + +diff -pur old/src/util/k5test.py new/src/util/k5test.py +--- old/src/util/k5test.py 2015-04-28 08:02:39.179471813 -0700 ++++ new/src/util/k5test.py 2015-05-13 06:36:54.073414866 -0700 +@@ -353,6 +353,7 @@ import string + import subprocess + import sys + import imp ++import re + + # Used when most things go wrong (other than programming errors) so + # that the user sees an error message rather than a Python traceback, +@@ -460,7 +461,19 @@ def _find_srctop(): + # because it explicitly prefers results containing periods and + # krb5_sname_to_principal doesn't care. + def _get_hostname(): ++ # in Solaris, we always canonicalize using FQDN by forcing DNS lookup + hostname = socket.gethostname() ++ # dig for fqdn, only output answer section ++ answer = subprocess.check_output(['/usr/sbin/dig', '+search', '+noall', '+answer', hostname]); ++ for line in answer.split("\n"): ++ # find A record ++ if re.search(r"\bA\b", line): ++ # only cut out the NAME part ++ return re.sub(r'\.?[ \t].*','',line) ++ ++ fail('Local hostname "%s" does not resolve: %s.' % (hostname, errstr)) ++ ++ # unreachable: + try: + ai = socket.getaddrinfo(hostname, None, 0, 0, 0, socket.AI_CANONNAME) + except socket.gaierror, (error, errstr): diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/031-kinit-support.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/031-kinit-support.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,151 @@ +# +# This patch is to provide additional Solaris krb5.conf parameter support +# for kinit command: +# +# forwardable = [true | false] +# proxiable = [true | false] +# renewable = [true | false] +# noaddresses = [true | false] +# +# Confirmed with MIT dev team. They won't accept this patch as enhancement. +# We will maintain it as patch. +# Patch source: in-house +# +--- ORIGINAL/src/clients/kinit/kinit.c 2015-04-30 13:46:57.411641188 -0700 ++++ MODIFIED/src/clients/kinit/kinit.c 2015-05-12 11:22:49.905473473 -0700 +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include "../../lib/krb5/prof_solaris.h" + + #ifdef GETOPT_LONG + #include +@@ -135,6 +136,34 @@ struct k_opts + int enterprise; + }; + ++int forwardable_flag = 0; ++int renewable_flag = 0; ++int proxiable_flag = 0; ++int no_address_flag = 0; ++profile_options_boolean config_option[] = { ++ { "forwardable", &forwardable_flag, 0 }, ++ { "renewable", &renewable_flag, 0 }, ++ { "proxiable", &proxiable_flag, 0 }, ++ { "no_addresses", &no_address_flag, 0 }, ++ { NULL, NULL, 0 } ++}; ++ ++char *renew_timeval=NULL; ++char *life_timeval=NULL; ++int lifetime_specified; ++int renewtime_specified; ++ ++profile_option_strings config_times[] = { ++ { "ticket_lifetime", &life_timeval, 0 }, ++ { "renew_lifetime", &renew_timeval, 0 }, ++ { NULL, NULL, 0 } ++}; ++ ++char *realmdef[] = { "realms", NULL, "kinit", NULL }; ++char *appdef[] = { "appdefaults", "kinit", NULL }; ++ ++#define krb_realm (*(realmdef + 1)) ++ + struct k5_data + { + krb5_context ctx; +@@ -720,6 +749,8 @@ k5_kinit(opts, k5) + krb5_error_code code = 0; + krb5_get_init_creds_opt *options = NULL; + int i; ++ krb5_timestamp now; ++ krb5_deltat lifetime = 0, rlife = 0, krb5_max_duration; + + memset(&my_creds, 0, sizeof(my_creds)); + +@@ -728,6 +759,83 @@ k5_kinit(opts, k5) + goto cleanup; + + /* ++ * If either tkt life or renew life weren't set earlier take common steps to ++ * get the krb5.conf parameter values. ++ * Also, check krb5.conf for proxiable/forwardable/renewable/no_address ++ * parameter values. ++ */ ++ if ((code = krb5_timeofday(k5->ctx, &now))) { ++ com_err(progname, code, gettext("while getting time of day")); ++ exit(1); ++ } ++ krb5_max_duration = KRB5_KDB_EXPIRATION - now - 60*60; ++ ++ if (opts->lifetime == 0 || opts->rlife == 0) { ++ ++ krb_realm = krb5_princ_realm(k5->ctx, k5->me)->data; ++ /* realm params take precedence */ ++ profile_get_options_string(k5->ctx->profile, realmdef, config_times); ++ profile_get_options_string(k5->ctx->profile, appdef, config_times); ++ ++ /* if the input opts doesn't have lifetime set and the krb5.conf ++ * parameter has been set, use that. ++ */ ++ if (opts->lifetime == 0 && life_timeval != NULL) { ++ code = krb5_string_to_deltat(life_timeval, &lifetime); ++ if (code != 0 || lifetime == 0 || lifetime > krb5_max_duration) { ++ fprintf(stderr, gettext("Bad max_life " ++ "value in Kerberos config file %s\n"), ++ life_timeval); ++ exit(1); ++ } ++ opts->lifetime = lifetime; ++ } ++ if (opts->rlife == 0 && renew_timeval != NULL) { ++ code = krb5_string_to_deltat(renew_timeval, &rlife); ++ if (code != 0 || rlife == 0 || rlife > krb5_max_duration) { ++ fprintf(stderr, gettext("Bad max_renewable_life " ++ "value in Kerberos config file %s\n"), ++ renew_timeval); ++ exit(1); ++ } ++ opts->rlife = rlife; ++ } ++ } ++ ++ /* ++ * If lifetime is not set on the cmdline or in the krb5.conf ++ * file, default to max. ++ */ ++ if (opts->lifetime == 0) ++ opts->lifetime = krb5_max_duration; ++ ++ ++ profile_get_options_boolean(k5->ctx->profile, ++ realmdef, config_option); ++ profile_get_options_boolean(k5->ctx->profile, ++ appdef, config_option); ++ ++ ++ /* cmdline opts take precedence over krb5.conf file values */ ++ if (!opts->not_proxiable && proxiable_flag) { ++ krb5_get_init_creds_opt_set_proxiable(options, 1); ++ } ++ if (!opts->not_forwardable && forwardable_flag) { ++ krb5_get_init_creds_opt_set_forwardable(options, 1); ++ } ++ if (renewable_flag) { ++ /* ++ * If this flag is set in krb5.conf, but rlife is 0, then ++ * set it to the max (and let the KDC sort it out). ++ */ ++ opts->rlife = opts->rlife ? opts->rlife : krb5_max_duration; ++ } ++ if (no_address_flag) { ++ /* cmdline opts will overwrite this below if needbe */ ++ krb5_get_init_creds_opt_set_address_list(options, NULL); ++ } ++ ++ /* + From this point on, we can goto cleanup because my_creds is + initialized. + */ diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/032-pam-krb5.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/032-pam-krb5.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,273 @@ +# +# This patch provides interfaces and functionality for the pam_krb5 module +# and for other libkadm5clnt dependents, such as AK. +# +# Note: MIT may be interested in a public form of k5_get_init_creds_password +# as the function returns the AS-REP, which can be used to glean key expiration, +# among others. A subsequent RFE-ticket will be filed for MIT. +# +# Note: MIT may decide to choose a different front-end support for multi-master +# configuration via kadm5_get_adm_host_srv_names, instead of using +# kadm5_get_admin_service_name, which returns the kadmin/ form instead of +# of kadmin@ for instance. In any case, a design such as this should be +# presented to MIT. +# Patch source: in-house +# +diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c +--- old/src/lib/kadm5/clnt/client_init.c 2015-04-30 01:12:10.579373279 -0600 ++++ new/src/lib/kadm5/clnt/client_init.c 2015-05-26 23:38:41.638267439 -0600 +@@ -299,7 +299,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm + { + int code = 0; + generic_ret *r; +- char *ccname_orig = NULL; ++ const char *ccname_orig = NULL; + char *iprop_svc; + boolean_t iprop_enable = B_FALSE; + char mech[] = "kerberos_v5"; +@@ -316,15 +316,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm + char *server; + int port; + +- /* service name is service/host */ +- server = strpbrk(service_name, "/"); ++ /* service name is service@host */ ++ server = strpbrk(service_name, "@"); + if (!server) { + code = KADM5_BAD_SERVER_NAME; + goto cleanup; + } +- +- /* but rpc_gss_secreate expects service@host */ +- *server++ = '@'; ++ server++; + + iprop_svc = strdup(KIPROP_SVC_NAME); + if (iprop_svc == NULL) +@@ -510,7 +508,7 @@ cleanup: + + static kadm5_ret_t + init_any(krb5_context context, char *client_name, enum init_type init_type, +- char *pass, krb5_ccache ccache_in, char *svcname_in, ++ char *pass, krb5_ccache ccache_in, char *svcname, + kadm5_config_params *params_in, krb5_ui_4 struct_version, + krb5_ui_4 api_version, char **db_args, void **server_handle) + { +@@ -528,7 +526,6 @@ init_any(krb5_context context, char *cli + + int code = 0; + generic_ret *r; +- char svcname[BUFSIZ]; + + initialize_ovk_error_table(); + /* initialize_adb_error_table(); */ +@@ -597,15 +594,19 @@ init_any(krb5_context context, char *cli + goto error; + + /* NULL svcname means use host-based. */ +- if (svcname_in == NULL) { +- code = kadm5_get_admin_service_name(handle->context, +- handle->params.realm, +- svcname, sizeof(svcname)); ++ if (svcname == NULL) { ++ char **kadmin_srv_names; ++ ++ code = kadm5_get_adm_host_srv_names(context, handle->params.realm, ++ &kadmin_srv_names); + if (code) + goto error; +- } else { +- strncpy(svcname, svcname_in, sizeof(svcname)); +- svcname[sizeof(svcname)-1] = '\0'; ++ svcname = strdup(kadmin_srv_names[0]); ++ free_srv_names(kadmin_srv_names); ++ if (svcname == NULL) { ++ code = ENOMEM; ++ goto error; ++ } + } + + /* Get credentials. */ +@@ -660,14 +661,52 @@ cleanup: + static kadm5_ret_t + get_init_creds(kadm5_server_handle_t handle, krb5_principal client, + enum init_type init_type, char *pass, krb5_ccache ccache_in, +- char *svcname, char *realm, krb5_principal *server_out) ++ char *svcname_in, char *realm, krb5_principal *server_out) + { + kadm5_ret_t code; + krb5_ccache ccache = NULL; ++ krb5_principal cprinc; ++ char svcbuf[BUFSIZ], *service, *host, *svcname, *save; + + *server_out = NULL; + + /* ++ * Convert the RPCSEC_GSS version to the host based version as this ++ * is what gic expects. ++ */ ++ if ((svcname = strdup(svcname_in)) == NULL) { ++ code = ENOMEM; ++ goto error; ++ } ++ if ((service = strtok_r(svcname, "@", &save)) != NULL) { ++ if ((host = strtok_r(NULL, "@", &save)) != NULL) { ++ char *str = NULL; ++ /* ++ * We want the canonical name here, via sname_to_principal. ++ */ ++ code = krb5_sname_to_principal(handle->context, host, service, ++ KRB5_NT_SRV_HST, &cprinc); ++ if (code) { ++ free(svcname); ++ goto error; ++ } ++ code = krb5_unparse_name_flags(handle->context, cprinc, ++ KRB5_PRINCIPAL_UNPARSE_NO_REALM, &str); ++ krb5_free_principal(handle->context, cprinc); ++ if (code) { ++ free(svcname); ++ goto error; ++ } ++ (void) strncpy(svcbuf, str, sizeof(svcbuf)); ++ krb5_free_unparsed_name(handle->context, str); ++ } ++ } else { ++ strncpy(svcbuf, svcname, sizeof(svcbuf)); ++ svcbuf[sizeof(svcname)-1] = '\0'; ++ } ++ free(svcname); ++ ++ /* + * Acquire a service ticket for svcname@realm for client, using password + * pass (which could be NULL), and create a ccache to store them in. If + * INIT_CREDS, use the ccache we were provided instead. +@@ -702,7 +741,7 @@ get_init_creds(kadm5_server_handle_t han + } + handle->lhandle->cache_name = handle->cache_name; + +- code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm, ++ code = gic_iter(handle, init_type, ccache, client, pass, svcbuf, realm, + server_out); + /* Improved error messages */ + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; +diff -pur old/src/lib/krb5/krb/gic_pwd.c new/src/lib/krb5/krb/gic_pwd.c +--- old/src/lib/krb5/krb/gic_pwd.c 2015-04-30 01:12:10.560945822 -0600 ++++ new/src/lib/krb5/krb/gic_pwd.c 2015-04-30 14:55:26.993611965 -0600 +@@ -5,6 +5,17 @@ + #include "int-proto.h" + #include "os-proto.h" + ++/* ++ * See the function's definition for the description of this interface. ++ */ ++krb5_error_code ++k5_get_init_creds_password(krb5_context, krb5_creds *, ++ krb5_principal, const char *, ++ krb5_prompter_fct, void *, ++ krb5_deltat, const char *, ++ krb5_get_init_creds_opt *, ++ krb5_kdc_rep **); ++ + krb5_error_code + krb5_get_as_key_password(krb5_context context, + krb5_principal client, +@@ -135,7 +146,7 @@ krb5_init_creds_set_password(krb5_contex + + /* Return the password expiry time indicated by enc_part2. Set *is_last_req + * if the information came from a last_req value. */ +-static void ++void + get_expiry_times(krb5_enc_kdc_rep_part *enc_part2, krb5_timestamp *pw_exp, + krb5_timestamp *acct_exp, krb5_boolean *is_last_req) + { +@@ -288,6 +299,35 @@ krb5_get_init_creds_password(krb5_contex + const char *in_tkt_service, + krb5_get_init_creds_opt *options) + { ++ /* ++ * We call our own private function that returns the as_reply back to ++ * the caller. This structure contains information, such as ++ * key-expiration and last-req fields. Entities such as pam_krb5 can ++ * use this information to provide account/password expiration warnings. ++ * The original "prompter" interface is not granular enough for PAM, ++ * as it will perform all passes w/o coordination with other modules. ++ */ ++ return (k5_get_init_creds_password(context, creds, client, password, ++ prompter, data, start_time, ++ in_tkt_service, options, NULL)); ++} ++ ++/* ++ * See krb5_get_init_creds_password()'s comments for the justification of this ++ * private function. Caller must free ptr_as_reply if non-NULL. ++ */ ++krb5_error_code KRB5_CALLCONV ++k5_get_init_creds_password(krb5_context context, ++ krb5_creds *creds, ++ krb5_principal client, ++ const char *password, ++ krb5_prompter_fct prompter, ++ void *data, ++ krb5_deltat start_time, ++ const char *in_tkt_service, ++ krb5_get_init_creds_opt *options, ++ krb5_kdc_rep **ptr_as_reply) ++{ + krb5_error_code ret; + int use_master; + krb5_kdc_rep *as_reply; +@@ -503,8 +543,12 @@ cleanup: + memset(pw0array, 0, sizeof(pw0array)); + memset(pw1array, 0, sizeof(pw1array)); + krb5_free_cred_contents(context, &chpw_creds); +- if (as_reply) +- krb5_free_kdc_rep(context, as_reply); ++ if (as_reply != NULL) { ++ if (ptr_as_reply == NULL) ++ krb5_free_kdc_rep(context, as_reply); ++ else ++ *ptr_as_reply = as_reply; ++ } + k5_clear_error(&errsave); + + return(ret); +diff -pur old/src/slave/kpropd.c new/src/slave/kpropd.c +--- old/src/slave/kpropd.c 2015-04-30 01:12:10.629801044 -0600 ++++ new/src/slave/kpropd.c 2015-05-04 14:12:25.818752484 -0600 +@@ -640,6 +640,7 @@ do_iprop() + params.realm = def_realm; + + if (master_svc_princstr == NULL) { ++#if 0 + retval = kadm5_get_kiprop_host_srv_name(kpropd_context, def_realm, + &master_svc_princstr); + if (retval) { +@@ -649,6 +650,27 @@ do_iprop() + progname, def_realm); + return retval; + } ++#endif ++ char **kiprop_srv_names; ++ ++ retval = kadm5_get_kiprop_host_srv_names(kpropd_context, def_realm, ++ &kiprop_srv_names); ++ if (retval) { ++ com_err(progname, retval, ++ _("%s: unable to get kiprop host based " ++ "service name for realm %s\n"), ++ progname, def_realm); ++ return retval; ++ } ++ master_svc_princstr = strdup(kiprop_srv_names[0]); ++ free_srv_names(kiprop_srv_names); ++ if (master_svc_princstr == NULL) { ++ com_err(progname, retval, ++ _("%s: unable to allocate memory for kiprop host based " ++ "service name for realm %s\n"), ++ progname, def_realm); ++ return ENOMEM; ++ } + } + + retval = krb5_sname_to_principal(kpropd_context, NULL, KIPROP_SVC_NAME, diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/033-pkinit-pin.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/033-pkinit-pin.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,388 @@ +# +# This patch allows a PIN for PKINIT to be set through the cred options, which +# is how pam_krb5 currently conveys this information through the get_init_creds +# interface. +# +# Note: MIT may not be interested in this patch given that they have +# developed there own responder framework for setting PINs. This solution +# should be investigated in the future to have pam_krb5 make these calls +# directly or through a utility library. +# Patch source: in-house +# +diff -pur old/src/plugins/preauth/pkinit/pkinit_clnt.c new/src/plugins/preauth/pkinit/pkinit_clnt.c +--- old/src/plugins/preauth/pkinit/pkinit_clnt.c 2015-05-08 12:37:14.618553502 -0600 ++++ new/src/plugins/preauth/pkinit/pkinit_clnt.c 2015-05-08 23:54:28.000000000 -0600 +@@ -29,6 +29,10 @@ + * SUCH DAMAGES. + */ + ++/* ++ * Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved. ++ */ ++ + #include "k5-int.h" + #include "pkinit.h" + #include "k5-json.h" +@@ -1571,6 +1575,10 @@ handle_gic_opt(krb5_context context, + pkiDebug("Setting flag to use RSA_PROTOCOL\n"); + plgctx->opts->dh_or_rsa = RSA_PROTOCOL; + } ++ } else if (strcmp(attr, "PIN") == 0) { ++ plgctx->idopts->PIN = strdup(value); ++ if (plgctx->idopts->PIN == NULL) ++ return ENOMEM; + } + return 0; + } +diff -pur old/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c new/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +--- old/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2015-05-08 12:37:14.617065120 -0600 ++++ new/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2015-05-19 17:53:18.025396256 -0600 +@@ -29,6 +29,10 @@ + * SUCH DAMAGES. + */ + ++/* ++ * Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved. ++ */ ++ + #include "pkinit_crypto_openssl.h" + #include "k5-buf.h" + #include +@@ -851,6 +855,7 @@ pkinit_init_pkcs11(pkinit_identity_crypt + ctx->slotid = PK_NOSLOT; + ctx->token_label = NULL; + ctx->cert_label = NULL; ++ ctx->PIN = NULL; + ctx->session = CK_INVALID_HANDLE; + ctx->p11 = NULL; + #endif +@@ -883,6 +888,7 @@ pkinit_fini_pkcs11(pkinit_identity_crypt + free(ctx->token_label); + free(ctx->cert_id); + free(ctx->cert_label); ++ zapfreestr(ctx->PIN); + #endif + } + +@@ -3523,7 +3532,36 @@ pkinit_C_UnloadModule(void *handle) + dlclose(handle); + return CKR_OK; + } ++/* ++ * labelstr will be C string containing token label with trailing white space ++ * removed. ++ */ ++static void ++trim_token_label(CK_TOKEN_INFO *tinfo, char *labelstr, unsigned int labelstr_len) ++{ ++ int i; ++ ++ assert(labelstr_len > sizeof (tinfo->label)); ++ /* ++ * \0 terminate labelstr in case the last char in the token label is ++ * non-whitespace ++ */ ++ labelstr[sizeof (tinfo->label)] = '\0'; ++ (void) memcpy(labelstr, (char *) tinfo->label, sizeof (tinfo->label)); ++ ++ /* init i so terminating \0 is skipped */ ++ for (i = sizeof (tinfo->label) - 1; i >= 0; i--) { ++ if (labelstr[i] == ' ') ++ labelstr[i] = '\0'; ++ else ++ break; ++ } ++} + ++/* ++ * This function was changed to support a PIN being passed in. If that is the ++ * case the user will not be prompted for their PIN. ++ */ + static krb5_error_code + pkinit_login(krb5_context context, + pkinit_identity_crypto_context id_cryptoctx, +@@ -3539,6 +3577,15 @@ pkinit_login(krb5_context context, + if (tip->flags & CKF_PROTECTED_AUTHENTICATION_PATH) { + rdat.data = NULL; + rdat.length = 0; ++ } else if (id_cryptoctx->PIN != NULL) { ++ if ((rdat.data = strdup(id_cryptoctx->PIN)) == NULL) ++ return ENOMEM; ++ /* ++ * Don't include NULL string terminator in length calculation as this ++ * PIN is passed to the C_Login function and only the text chars should ++ * be considered to be the PIN. ++ */ ++ rdat.length = strlen(id_cryptoctx->PIN); + } else if (password != NULL) { + rdat.data = strdup(password); + rdat.length = strlen(password); +@@ -3546,6 +3593,16 @@ pkinit_login(krb5_context context, + r = KRB5_LIBOS_CANTREADPWD; + rdat.data = NULL; + } else { ++ /* trim token label */ ++ char tmplabel[sizeof (tip->label) + 1]; ++ int prompt_len = sizeof (tip->label) + 256; ++ ++ if ((prompt = (char *) malloc(prompt_len)) == NULL) ++ return ENOMEM; ++ ++ /* trim token label which can be padded with space */ ++ trim_token_label(tip, tmplabel, sizeof (tmplabel)); ++ + if (tip->flags & CKF_USER_PIN_LOCKED) + warning = " (Warning: PIN locked)"; + else if (tip->flags & CKF_USER_PIN_FINAL_TRY) +@@ -3554,11 +3611,14 @@ pkinit_login(krb5_context context, + warning = " (Warning: PIN count low)"; + else + warning = ""; +- if (asprintf(&prompt, "%.*s PIN%s", (int) sizeof (tip->label), +- tip->label, warning) < 0) ++ if (asprintf(&prompt, "%.*s PIN%s", prompt_len, tmplabel, warning) < 0) + return ENOMEM; + rdat.data = malloc(tip->ulMaxPinLen + 2); + rdat.length = tip->ulMaxPinLen + 1; ++ /* ++ * Note that the prompter function will set rdat.length such that the ++ * NULL terminator is not included. ++ */ + + kprompt.prompt = prompt; + kprompt.hidden = 1; +@@ -3569,7 +3629,7 @@ pkinit_login(krb5_context context, + k5int_set_prompt_types(context, &prompt_type); + r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, + NULL, NULL, 1, &kprompt); +- k5int_set_prompt_types(context, 0); ++ k5int_set_prompt_types(context, NULL); + free(prompt); + } + +@@ -3582,7 +3642,7 @@ pkinit_login(krb5_context context, + r = KRB5KDC_ERR_PREAUTH_FAILED; + } + } +- free(rdat.data); ++ zapfree(rdat.data, rdat.length); + + return r; + } +@@ -3779,6 +3842,81 @@ pkinit_find_private_key(pkinit_identity_ + r = id_cryptoctx->p11->C_FindObjects(id_cryptoctx->session, objp, 1, &count); + id_cryptoctx->p11->C_FindObjectsFinal(id_cryptoctx->session); + pkiDebug("found %d private keys (%s)\n", (int) count, pkinit_pkcs11_code_to_text(r)); ++ ++ /* ++ * The CKA_ID may not be correctly set for the private key. For e.g. when ++ * storing a private key in softtoken pktool(1) doesn't generate or store ++ * a CKA_ID for the private key. Another way to identify the private key is ++ * to look for a private key with the same RSA modulus as the public key ++ * in the certificate. ++ */ ++ if (r == CKR_OK && count != 1) { ++ ++ EVP_PKEY *priv; ++ X509 *cert; ++ unsigned int n_len; ++ unsigned char *n_bytes; ++ ++ cert = sk_X509_value(id_cryptoctx->my_certs, 0); ++ priv = X509_get_pubkey(cert); ++ if (priv == NULL) { ++ pkiDebug("Failed to extract pub key from cert\n"); ++ return KRB5KDC_ERR_PREAUTH_FAILED; ++ } ++ ++ nattrs = 0; ++ cls = CKO_PRIVATE_KEY; ++ attrs[nattrs].type = CKA_CLASS; ++ attrs[nattrs].pValue = &cls; ++ attrs[nattrs].ulValueLen = sizeof cls; ++ nattrs++; ++ ++#ifdef PKINIT_USE_KEY_USAGE ++ true_false = TRUE; ++ attrs[nattrs].type = usage; ++ attrs[nattrs].pValue = &true_false; ++ attrs[nattrs].ulValueLen = sizeof true_false; ++ nattrs++; ++#endif ++ ++ keytype = CKK_RSA; ++ attrs[nattrs].type = CKA_KEY_TYPE; ++ attrs[nattrs].pValue = &keytype; ++ attrs[nattrs].ulValueLen = sizeof keytype; ++ nattrs++; ++ ++ n_len = BN_num_bytes(priv->pkey.rsa->n); ++ n_bytes = (unsigned char *) malloc((size_t) n_len); ++ if (n_bytes == NULL) { ++ return (ENOMEM); ++ } ++ ++ if (BN_bn2bin(priv->pkey.rsa->n, n_bytes) == 0) { ++ free (n_bytes); ++ pkiDebug("zero-byte key modulus\n"); ++ return KRB5KDC_ERR_PREAUTH_FAILED; ++ } ++ ++ attrs[nattrs].type = CKA_MODULUS; ++ attrs[nattrs].ulValueLen = n_len; ++ attrs[nattrs].pValue = n_bytes; ++ ++ nattrs++; ++ ++ r = id_cryptoctx->p11->C_FindObjectsInit(id_cryptoctx->session, attrs, nattrs); ++ free (n_bytes); ++ if (r != CKR_OK) { ++ pkiDebug("krb5_pkinit_sign_data: C_FindObjectsInit: %s\n", ++ pkinit_pkcs11_code_to_text(r)); ++ return KRB5KDC_ERR_PREAUTH_FAILED; ++ } ++ ++ r = id_cryptoctx->p11->C_FindObjects(id_cryptoctx->session, objp, 1, &count); ++ id_cryptoctx->p11->C_FindObjectsFinal(id_cryptoctx->session); ++ pkiDebug("found %d private keys (%s)\n", (int) count, pkinit_pkcs11_code_to_text(r)); ++ ++ } ++ + if (r != CKR_OK || count < 1) + return KRB5KDC_ERR_PREAUTH_FAILED; + return 0; +@@ -4174,7 +4312,10 @@ pkinit_get_certs_pkcs12(krb5_context con + } else if (id_cryptoctx->prompter == NULL) { + /* We can't use a prompter. */ + goto cleanup; +- } else { ++ } else if (id_cryptoctx->PIN != NULL) { ++ rdat.data = id_cryptoctx->PIN; ++ /* note rdat.length isn't needed in this case */ ++ } else { + /* Ask using a prompter. */ + memset(prompt_reply, '\0', sizeof(prompt_reply)); + rdat.data = prompt_reply; +@@ -4193,7 +4334,7 @@ pkinit_get_certs_pkcs12(krb5_context con + k5int_set_prompt_types(context, &prompt_type); + r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, + NULL, NULL, 1, &kprompt); +- k5int_set_prompt_types(context, 0); ++ k5int_set_prompt_types(context, NULL); + if (r) { + pkiDebug("Failed to prompt for PKCS12 password"); + goto cleanup; +@@ -4501,6 +4642,11 @@ pkinit_get_certs_pkcs11(krb5_context con + if (id_cryptoctx->cert_label == NULL) + return ENOMEM; + } ++ if (idopts->PIN != NULL) { ++ id_cryptoctx->PIN = strdup(idopts->PIN); ++ if (id_cryptoctx->PIN == NULL) ++ return ENOMEM; ++ } + /* Convert the ascii cert_id string into a binary blob */ + if (idopts->cert_id_string != NULL) { + BIGNUM *bn = NULL; +diff -pur old/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h new/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h +--- old/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h 2015-05-08 12:37:14.618921565 -0600 ++++ new/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h 2015-05-08 23:22:37.000000000 -0600 +@@ -28,6 +28,10 @@ + * SUCH DAMAGES. + */ + ++/* ++ * Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved. ++ */ ++ + #ifndef _PKINIT_CRYPTO_OPENSSL_H + #define _PKINIT_CRYPTO_OPENSSL_H + +@@ -78,6 +82,7 @@ struct _pkinit_identity_crypto_context { + CK_SLOT_ID slotid; + char *token_label; + char *cert_label; ++ char *PIN; + /* These are crypto-specific */ + void *p11_module; + CK_SESSION_HANDLE session; +diff -pur old/src/plugins/preauth/pkinit/pkinit_identity.c new/src/plugins/preauth/pkinit/pkinit_identity.c +--- old/src/plugins/preauth/pkinit/pkinit_identity.c 2015-05-08 12:37:14.615376527 -0600 ++++ new/src/plugins/preauth/pkinit/pkinit_identity.c 2015-05-08 23:26:14.000000000 -0600 +@@ -29,6 +29,10 @@ + * SUCH DAMAGES. + */ + ++/* ++ * Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved. ++ */ ++ + #include + #include + #include +@@ -135,6 +139,7 @@ pkinit_init_identity_opts(pkinit_identit + opts->token_label = NULL; + opts->cert_id_string = NULL; + opts->cert_label = NULL; ++ opts->PIN = NULL; + #endif + + *idopts = opts; +@@ -218,9 +223,13 @@ pkinit_dup_identity_opts(pkinit_identity + if (newopts->cert_label == NULL) + goto cleanup; + } ++ if (src_opts->PIN != NULL) { ++ newopts->PIN = strdup(src_opts->PIN); ++ if (newopts->PIN == NULL) ++ goto cleanup; ++ } + #endif + +- + *dest_opts = newopts; + return 0; + cleanup: +@@ -248,6 +257,7 @@ pkinit_fini_identity_opts(pkinit_identit + free(idopts->token_label); + free(idopts->cert_id_string); + free(idopts->cert_label); ++ zapfreestr(idopts->PIN); + #endif + free(idopts); + } +diff -pur old/src/plugins/preauth/pkinit/pkinit.h new/src/plugins/preauth/pkinit/pkinit.h +--- old/src/plugins/preauth/pkinit/pkinit.h 2015-05-08 12:37:14.616200703 -0600 ++++ new/src/plugins/preauth/pkinit/pkinit.h 2015-05-12 23:52:10.000000000 -0600 +@@ -28,10 +28,14 @@ + * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGES. + */ ++/* ++ * Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved. ++ */ + + #ifndef _PKINIT_H + #define _PKINIT_H + ++#include + #include + #include + #include +@@ -42,7 +46,7 @@ + #ifndef WITHOUT_PKCS11 + #include "pkcs11.h" + +-#define PKCS11_MODNAME "opensc-pkcs11.so" ++#define PKCS11_MODNAME "libpkcs11.so" + #define PK_SIGLEN_GUESS 1000 + #define PK_NOSLOT 999999 + #endif +@@ -182,6 +186,7 @@ typedef struct _pkinit_identity_opts { + char *token_label; + char *cert_id_string; + char *cert_label; ++ char *PIN; + #endif + } pkinit_identity_opts; + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/034-migrate.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/034-migrate.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,276 @@ +# +# This patch provides an authorization scheme for kadmind when used to +# auto-migrate UNIX based users to Kerberos. This is required to support +# the auto-migrate module, pam_krb5_migrate(5). +# +# Note: MIT will unlikely want the pam_krb5_migrate kadmind authorization +# functionality as this is specific to a 3rd party migration design. +# Patch source: in-house +# +diff -pur old/src/kadmin/server/Makefile.in new/src/kadmin/server/Makefile.in +--- old/src/kadmin/server/Makefile.in 2015-04-30 01:12:10.540747993 -0600 ++++ new/src/kadmin/server/Makefile.in 2015-05-20 21:20:31.285698636 -0600 +@@ -13,7 +13,7 @@ SRCS = kadm_rpc_svc.c server_stubs.c ovs + all:: $(PROG) + + $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) $(VERTO_DEPLIB) +- $(CC_LINK) -o $(PROG) $(OBJS) $(APPUTILS_LIB) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS) $(VERTO_LIBS) ++ $(CC_LINK) -o $(PROG) $(OBJS) $(APPUTILS_LIB) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS) $(VERTO_LIBS) -lpam + + install:: + $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(SERVER_BINDIR)/$(PROG) +diff -pur old/src/kadmin/server/server_stubs.c new/src/kadmin/server/server_stubs.c +--- old/src/kadmin/server/server_stubs.c 2015-04-30 01:12:10.540973547 -0600 ++++ new/src/kadmin/server/server_stubs.c 2015-05-20 21:16:21.635418741 -0600 +@@ -16,6 +16,7 @@ + #include + #include /* krb5_klog_syslog */ + #include "misc.h" ++#include + + extern gss_name_t gss_changepw_name; + extern gss_name_t gss_oldchangepw_name; +@@ -352,6 +353,80 @@ log_done( + client_addr(rqstp->rq_xprt)); + } + ++/* ++ * This routine primarily validates the username and password ++ * of the principal to be created, if a prior acl check for ++ * the 'u' privilege succeeds. Validation is done using ++ * the PAM `k5migrate' service. k5migrate normally stacks ++ * pam_unix_auth.so and pam_unix_account.so in its auth and ++ * account stacks respectively. ++ * ++ * Returns 1 (true), if validation is successful, ++ * else returns 0 (false). ++ */ ++int ++verify_pam_pw(char *userdata, char *pwd) ++{ ++ pam_handle_t *pamh; ++ int err = 0; ++ int result = 1; ++ char *user = NULL; ++ char *ptr = NULL; ++ ++ ptr = strchr(userdata, '@'); ++ if (ptr != NULL) { ++ user = (char *)malloc(ptr - userdata + 1); ++ if (user == NULL) ++ return (0); ++ (void) strlcpy(user, userdata, (ptr - userdata) + 1); ++ } else { ++ user = (char *)strdup(userdata); ++ if (user == NULL) ++ return (0); ++ } ++ ++ err = pam_start("k5migrate", user, NULL, &pamh); ++ if (err != PAM_SUCCESS) { ++ syslog(LOG_ERR, "verify_pam_pw: pam_start() failed, %s\n", ++ pam_strerror(pamh, err)); ++ free(user); ++ return (0); ++ } ++ ++ err = pam_set_item(pamh, PAM_AUTHTOK, (void *)pwd); ++ if (err != PAM_SUCCESS) { ++ syslog(LOG_ERR, "verify_pam_pw: pam_set_item() failed, %s\n", ++ pam_strerror(pamh, err)); ++ free(user); ++ (void) pam_end(pamh, err); ++ return (0); ++ } ++ ++ err = pam_authenticate(pamh, PAM_SILENT); ++ if (err != PAM_SUCCESS) { ++ syslog(LOG_ERR, "verify_pam_pw: pam_authenticate() failed for " ++ "user=%s, %s\n", user, ++ pam_strerror(pamh, err)); ++ free(user); ++ (void) pam_end(pamh, err); ++ return (0); ++ } ++ ++ err = pam_acct_mgmt(pamh, PAM_SILENT); ++ if (err != PAM_SUCCESS) { ++ syslog(LOG_ERR, "verify_pam_pw: pam_acct_mgmt() failed for " ++ "user=%s, %s\n", user, ++ pam_strerror(pamh, err)); ++ free(user); ++ (void) pam_end(pamh, err); ++ return (0); ++ } ++ ++ free(user); ++ (void) pam_end(pamh, PAM_SUCCESS); ++ return (result); ++} ++ + generic_ret * + create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) + { +@@ -363,6 +438,8 @@ create_principal_2_svc(cprinc_arg *arg, + restriction_t *rp; + const char *errmsg = NULL; + gss_name_t name = NULL; ++ int policy_migrate = 0; ++ kadm5_ret_t retval; + + xdr_free(xdr_generic_ret, (char *) &ret); + +@@ -387,9 +464,17 @@ create_principal_2_svc(cprinc_arg *arg, + ret.code = KADM5_FAILURE; + goto exit_func; + } ++ ++ if (kadm5int_acl_check(handle->context, name, ACL_MIGRATE, ++ arg->rec.principal, &rp) && ++ verify_pam_pw(prime_arg, arg->passwd)) { ++ policy_migrate = 1; ++ } ++ + if (CHANGEPW_SERVICE(rqstp) +- || !kadm5int_acl_check(handle->context, name, ACL_ADD, +- arg->rec.principal, &rp) ++ || (!kadm5int_acl_check(handle->context, name, ACL_ADD, ++ arg->rec.principal, &rp) && ++ !(policy_migrate)) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +@@ -408,6 +493,25 @@ create_principal_2_svc(cprinc_arg *arg, + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); ++ ++ if (policy_migrate && (ret.code == 0)) { ++ arg->rec.policy = strdup("default"); ++ if ((arg->mask & KADM5_PW_EXPIRATION)) { ++ arg->mask = 0; ++ arg->mask |= KADM5_POLICY; ++ arg->mask |= KADM5_PW_EXPIRATION; ++ } else { ++ arg->mask = 0; ++ arg->mask |= KADM5_POLICY; ++ } ++ ++ retval = kadm5_modify_principal((void *)handle, ++ &arg->rec, arg->mask); ++ log_done("kadm5_modify_principal", ++ prime_arg, ((retval == 0) ? "success" : ++ error_message(retval)), &client_name, ++ &service_name, rqstp); ++ } + } + free(prime_arg); + gss_release_buffer(&minor_stat, &client_name); +@@ -431,6 +535,8 @@ create_principal3_2_svc(cprinc3_arg *arg + restriction_t *rp; + const char *errmsg = NULL; + gss_name_t name = NULL; ++ int policy_migrate = 0; ++ kadm5_ret_t retval; + + xdr_free(xdr_generic_ret, (char *) &ret); + +@@ -455,9 +561,17 @@ create_principal3_2_svc(cprinc3_arg *arg + ret.code = KADM5_FAILURE; + goto exit_func; + } ++ ++ if (kadm5int_acl_check(handle->context, name, ACL_MIGRATE, ++ arg->rec.principal, &rp) && ++ verify_pam_pw(prime_arg, arg->passwd)) { ++ policy_migrate = 1; ++ } ++ + if (CHANGEPW_SERVICE(rqstp) +- || !kadm5int_acl_check(handle->context, name, ACL_ADD, +- arg->rec.principal, &rp) ++ || (!kadm5int_acl_check(handle->context, name, ACL_ADD, ++ arg->rec.principal, &rp) && ++ !(policy_migrate)) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +@@ -477,6 +591,24 @@ create_principal3_2_svc(cprinc3_arg *arg + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); ++ ++ if (policy_migrate && (ret.code == 0)) { ++ arg->rec.policy = strdup("default"); ++ if ((arg->mask & KADM5_PW_EXPIRATION)) { ++ arg->mask = 0; ++ arg->mask |= KADM5_POLICY; ++ arg->mask |= KADM5_PW_EXPIRATION; ++ } else { ++ arg->mask = 0; ++ arg->mask |= KADM5_POLICY; ++ } ++ ++ retval = kadm5_modify_principal((void *)handle, ++ &arg->rec, arg->mask); ++ log_done("kadm5_modify_principal", prime_arg, ++ ((retval == 0) ? "success" : error_message(retval)), ++ &client_name, &service_name, rqstp); ++ } + } + free(prime_arg); + gss_release_buffer(&minor_stat, &client_name); +diff -pur old/src/lib/kadm5/srv/server_acl.c new/src/lib/kadm5/srv/server_acl.c +--- old/src/lib/kadm5/srv/server_acl.c 2015-04-30 01:12:10.576699515 -0600 ++++ new/src/lib/kadm5/srv/server_acl.c 2015-05-20 21:00:21.476861745 -0600 +@@ -24,6 +24,10 @@ + * or implied warranty. + */ + ++/* ++ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. ++ */ ++ + #include "k5-int.h" + #include + #include +@@ -63,6 +67,7 @@ static const aop_t acl_op_table[] = { + { 'l', ACL_LIST }, + { 'p', ACL_IPROP }, + { 's', ACL_SETKEY }, ++ { 'u', ACL_MIGRATE }, + { 'x', ACL_ALL_MASK }, + { '*', ACL_ALL_MASK }, + { '\0', 0 } +diff -pur old/src/lib/kadm5/srv/server_acl.h new/src/lib/kadm5/srv/server_acl.h +--- old/src/lib/kadm5/srv/server_acl.h 2015-04-30 01:12:10.575948391 -0600 ++++ new/src/lib/kadm5/srv/server_acl.h 2015-05-20 21:00:26.742448675 -0600 +@@ -24,6 +24,10 @@ + * or implied warranty. + */ + ++/* ++ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. ++ */ ++ + #ifndef SERVER_ACL_H__ + #define SERVER_ACL_H__ + +@@ -59,6 +63,7 @@ + #define ACL_SETKEY 256 + #define ACL_IPROP 512 + #define ACL_RENAME (ACL_ADD+ACL_DELETE) ++#define ACL_MIGRATE 1024 + + #define ACL_ALL_MASK (ACL_ADD | \ + ACL_DELETE | \ +@@ -67,7 +72,8 @@ + ACL_INQUIRE | \ + ACL_LIST | \ + ACL_IPROP | \ +- ACL_SETKEY) ++ ACL_SETKEY | \ ++ ACL_MIGRATE) + + typedef struct _restriction { + long mask; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/035-multi-master.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/035-multi-master.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,692 @@ +# +# This patch provides support in kadmin and kpropd to work in a +# multi-master environment. +# +# Note that we have discussed support for this with MIT in the past but +# they have been reticent to add such support. It is possible that +# support for this may be introduced at a later time at which point we +# should look at modifying/deleting this patch. +# Patch source: in-house +# +diff -u -r old/src/kadmin/cli/kadmin.c new/src/kadmin/cli/kadmin.c +--- old/src/kadmin/cli/kadmin.c 2015-05-28 15:10:45.129616302 -0500 ++++ new/src/kadmin/cli/kadmin.c 2015-05-29 13:32:41.901105712 -0500 +@@ -268,7 +268,7 @@ + char **db_args = NULL; + int db_args_size = 0; + char *db_name = NULL; +- char *svcname, *realm; ++ char **svcnames = NULL, *realm; + + memset(¶ms, 0, sizeof(params)); + +@@ -380,11 +380,6 @@ + params.mask |= KADM5_CONFIG_REALM; + params.realm = def_realm; + +- if (params.mask & KADM5_CONFIG_OLD_AUTH_GSSAPI) +- svcname = KADM5_ADMIN_SERVICE; +- else +- svcname = NULL; +- + /* + * Set cc to an open credentials cache, either specified by the -c + * argument or the default. +@@ -515,13 +510,15 @@ + if (ccache_name) { + printf(_("Authenticating as principal %s with existing " + "credentials.\n"), princstr); +- retval = kadm5_init_with_creds(context, princstr, cc, svcname, ¶ms, ++ retval = kadm5_init_with_creds_mm(context, princstr, cc, svcnames, ++ ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_4, db_args, &handle); + } else if (use_anonymous) { + printf(_("Authenticating as principal %s with password; " + "anonymous requested.\n"), princstr); +- retval = kadm5_init_anonymous(context, princstr, svcname, ¶ms, ++ retval = kadm5_init_anonymous_mm(context, princstr, svcnames, ++ ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_4, db_args, &handle); + } else if (use_keytab) { +@@ -531,17 +528,20 @@ + else + printf(_("Authenticating as principal %s with default keytab.\n"), + princstr); +- retval = kadm5_init_with_skey(context, princstr, keytab_name, svcname, ++ retval = kadm5_init_with_skey_mm(context, princstr, keytab_name, ++ svcnames, + ¶ms, KADM5_STRUCT_VERSION, + KADM5_API_VERSION_4, db_args, &handle); + } else { + printf(_("Authenticating as principal %s with password.\n"), + princstr); +- retval = kadm5_init_with_password(context, princstr, password, svcname, ++ retval = kadm5_init_with_password_mm(context, princstr, password, ++ svcnames, + ¶ms, KADM5_STRUCT_VERSION, + KADM5_API_VERSION_4, db_args, + &handle); + } ++ free_srv_names(svcnames); + if (retval) { + com_err(whoami, retval, _("while initializing %s interface"), whoami); + if (retval == KADM5_BAD_CLIENT_PARAMS || +diff -u -r old/src/lib/kadm5/admin.h new/src/lib/kadm5/admin.h +--- old/src/lib/kadm5/admin.h 2015-05-28 15:10:45.095122403 -0500 ++++ new/src/lib/kadm5/admin.h 2015-05-28 15:34:35.800877732 -0500 +@@ -345,6 +345,51 @@ + krb5_ui_4 api_version, + char **db_args, + void **server_handle); ++kadm5_ret_t kadm5_init_with_creds_mm(krb5_context context, ++ char *client_name, ++ krb5_ccache ccache, ++ char **svcnames, ++ kadm5_config_params *params, ++ krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, ++ char **db_args, ++ void **server_handle); ++kadm5_ret_t kadm5_init_with_password_mm(krb5_context context, ++ char *client_name, ++ char *pass, ++ char **svcnames, ++ kadm5_config_params *params, ++ krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, ++ char **db_args, ++ void **server_handle); ++kadm5_ret_t kadm5_init_anonymous_mm(krb5_context context, ++ char *client_name, ++ char **svcnames, ++ kadm5_config_params *params, ++ krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, ++ char **db_args, ++ void **server_handle); ++kadm5_ret_t kadm5_init_mm(krb5_context context, ++ char *client_name, ++ char *pass, ++ char **svcnames, ++ kadm5_config_params *params, ++ krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, ++ char **db_args, ++ void **server_handle); ++kadm5_ret_t kadm5_init_with_skey_mm(krb5_context context, ++ char *client_name, ++ char *keytab, ++ char **svcnames, ++ kadm5_config_params *params, ++ krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, ++ char **db_args, ++ void **server_handle); ++ + kadm5_ret_t kadm5_lock(void *server_handle); + kadm5_ret_t kadm5_unlock(void *server_handle); + kadm5_ret_t kadm5_flush(void *server_handle); +diff -u -r old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c +--- old/src/lib/kadm5/clnt/client_init.c 2015-05-28 15:10:45.192975632 -0500 ++++ new/src/lib/kadm5/clnt/client_init.c 2015-06-02 10:33:51.639341637 -0500 +@@ -55,7 +55,7 @@ + + static kadm5_ret_t + init_any(krb5_context context, char *client_name, enum init_type init_type, +- char *pass, krb5_ccache ccache_in, char *service_name, ++ char *pass, krb5_ccache ccache_in, char **service_names, + kadm5_config_params *params, krb5_ui_4 struct_version, + krb5_ui_4 api_version, char **db_args, void **server_handle); + +@@ -87,8 +87,25 @@ + krb5_ui_4 api_version, char **db_args, + void **server_handle) + { ++ char *svcnames[2]; ++ ++ svcnames[0] = service_name; ++ svcnames[1] = NULL; ++ ++ return init_any(context, client_name, INIT_CREDS, NULL, ccache, ++ svcnames, params, struct_version, api_version, db_args, ++ server_handle); ++} ++ ++kadm5_ret_t ++kadm5_init_with_creds_mm(krb5_context context, char *client_name, ++ krb5_ccache ccache, char **svcnames, ++ kadm5_config_params *params, krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, char **db_args, ++ void **server_handle) ++{ + return init_any(context, client_name, INIT_CREDS, NULL, ccache, +- service_name, params, struct_version, api_version, db_args, ++ svcnames, params, struct_version, api_version, db_args, + server_handle); + } + +@@ -99,7 +116,24 @@ + krb5_ui_4 api_version, char **db_args, + void **server_handle) + { +- return init_any(context, client_name, INIT_PASS, pass, NULL, service_name, ++ char *svcnames[2]; ++ ++ svcnames[0] = service_name; ++ svcnames[1] = NULL; ++ ++ return init_any(context, client_name, INIT_PASS, pass, NULL, svcnames, ++ params, struct_version, api_version, db_args, ++ server_handle); ++} ++ ++kadm5_ret_t ++kadm5_init_with_password_mm(krb5_context context, char *client_name, ++ char *pass, char **svcnames, ++ kadm5_config_params *params, krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, char **db_args, ++ void **server_handle) ++{ ++ return init_any(context, client_name, INIT_PASS, pass, NULL, svcnames, + params, struct_version, api_version, db_args, + server_handle); + } +@@ -110,8 +144,24 @@ + krb5_ui_4 struct_version, krb5_ui_4 api_version, + char **db_args, void **server_handle) + { ++ char *svcnames[2]; ++ ++ svcnames[0] = service_name; ++ svcnames[1] = NULL; ++ ++ return init_any(context, client_name, INIT_ANONYMOUS, NULL, NULL, ++ svcnames, params, struct_version, api_version, ++ db_args, server_handle); ++} ++ ++kadm5_ret_t ++kadm5_init_anonymous_mm(krb5_context context, char *client_name, ++ char **svcnames, kadm5_config_params *params, ++ krb5_ui_4 struct_version, krb5_ui_4 api_version, ++ char **db_args, void **server_handle) ++{ + return init_any(context, client_name, INIT_ANONYMOUS, NULL, NULL, +- service_name, params, struct_version, api_version, ++ svcnames, params, struct_version, api_version, + db_args, server_handle); + } + +@@ -121,7 +171,23 @@ + krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, + void **server_handle) + { +- return init_any(context, client_name, INIT_PASS, pass, NULL, service_name, ++ char *svcnames[2]; ++ ++ svcnames[0] = service_name; ++ svcnames[1] = NULL; ++ ++ return init_any(context, client_name, INIT_PASS, pass, NULL, svcnames, ++ params, struct_version, api_version, db_args, ++ server_handle); ++} ++ ++kadm5_ret_t ++kadm5_init_mm(krb5_context context, char *client_name, char *pass, ++ char **svcnames, kadm5_config_params *params, ++ krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, ++ void **server_handle) ++{ ++ return init_any(context, client_name, INIT_PASS, pass, NULL, svcnames, + params, struct_version, api_version, db_args, + server_handle); + } +@@ -133,8 +199,25 @@ + krb5_ui_4 api_version, char **db_args, + void **server_handle) + { ++ char *svcnames[2]; ++ ++ svcnames[0] = service_name; ++ svcnames[1] = NULL; ++ + return init_any(context, client_name, INIT_SKEY, keytab, NULL, +- service_name, params, struct_version, api_version, db_args, ++ svcnames, params, struct_version, api_version, db_args, ++ server_handle); ++} ++ ++kadm5_ret_t ++kadm5_init_with_skey_mm(krb5_context context, char *client_name, ++ char *keytab, char **svcnames, ++ kadm5_config_params *params, krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, char **db_args, ++ void **server_handle) ++{ ++ return init_any(context, client_name, INIT_SKEY, keytab, NULL, ++ svcnames, params, struct_version, api_version, db_args, + server_handle); + } + +@@ -338,7 +421,7 @@ + } + + /* +- * iprop fallback logic: ++ * iprop fallback logic: + * - if iprop_port is configured, connect to iprop_port + * - if not, query remote rpc/bind + * - if that fails, try consuming iprop service on kadmin port +@@ -506,9 +589,35 @@ + return (code); + } + ++/* utility function used below */ ++static void ++clean_up(kadm5_server_handle_t handle, ++ krb5_principal *server, ++ krb5_ccache *ccache) ++{ ++ if (handle->destroy_cache && handle->cache_name) { ++ if (krb5_cc_resolve(handle->context, ++ handle->cache_name, &ccache) == 0) ++ (void) krb5_cc_destroy (handle->context, ccache); ++ } ++ ++ free(handle->cache_name); ++ handle->cache_name = NULL; ++ ++ if (handle->clnt && handle->clnt->cl_auth) ++ AUTH_DESTROY(handle->clnt->cl_auth); ++ if (handle->clnt) { ++ clnt_destroy(handle->clnt); ++ handle->clnt = NULL; ++ } ++ ++ krb5_free_principal(handle->context, *server); ++ *server = NULL; ++} ++ + static kadm5_ret_t + init_any(krb5_context context, char *client_name, enum init_type init_type, +- char *pass, krb5_ccache ccache_in, char *svcname, ++ char *pass, krb5_ccache ccache_in, char **svcnames_in, + kadm5_config_params *params_in, krb5_ui_4 struct_version, + krb5_ui_4 api_version, char **db_args, void **server_handle) + { +@@ -526,6 +635,10 @@ + + int code = 0; + generic_ret *r; ++ char **kadmin_srv_names = NULL; ++ char *tmp_srv_names[2] = {NULL, NULL}; ++ char **svcname_ptr; ++ int i; + + initialize_ovk_error_table(); + /* initialize_adb_error_table(); */ +@@ -593,34 +706,56 @@ + if (code) + goto error; + +- /* NULL svcname means use host-based. */ +- if (svcname == NULL) { +- char **kadmin_srv_names; ++ if (svcnames_in == NULL || svcnames_in[0] == NULL) { ++ if (params_in && params_in->mask & KADM5_CONFIG_ADMIN_SERVER && ++ params_in->admin_server != NULL) { ++ /* User passed in a admin server host name so use that */ ++ if (asprintf(&tmp_srv_names[0], "%s@%s", KADM5_ADMIN_HOST_SERVICE, ++ params_in->admin_server) == -1) { ++ code = ENOMEM; ++ goto error; ++ } ++ svcname_ptr = tmp_srv_names; ++ } else { ++ /* Otherwise punt and get the admin server names. */ ++ code = kadm5_get_adm_host_srv_names(context, handle->params.realm, ++ &kadmin_srv_names); ++ if (code) ++ goto error; ++ svcname_ptr = kadmin_srv_names; ++ } ++ } else { ++ svcname_ptr = svcnames_in; ++ } + +- code = kadm5_get_adm_host_srv_names(context, handle->params.realm, +- &kadmin_srv_names); +- if (code) +- goto error; +- svcname = strdup(kadmin_srv_names[0]); +- free_srv_names(kadmin_srv_names); +- if (svcname == NULL) { +- code = ENOMEM; +- goto error; +- } ++ for (i = 0; svcname_ptr[i]; i++) { ++ /* Get credentials. */ ++ code = get_init_creds(handle, client, init_type, pass, ccache_in, ++ svcname_ptr[i], handle->params.realm, &server); ++ if (code) { ++ if (code == KADM5_SECURE_PRINC_MISSING || ++ code == KRB5_ERR_BAD_HOSTNAME) { ++ /* clean up for another go around */ ++ clean_up(handle, &server, &ccache); ++ continue; ++ } else ++ goto error; ++ } ++ ++ code = _kadm5_initialize_rpcsec_gss_handle(handle, client_name, ++ svcname_ptr[i]); ++ if (code) { ++ /* clean up for another go around */ ++ clean_up(handle, &server, &ccache); ++ } else { ++ /* inited the rpcsec_gss handle, can stop looping now */ ++ break; ++ } + } + +- /* Get credentials. */ +- code = get_init_creds(handle, client, init_type, pass, ccache_in, +- svcname, handle->params.realm, &server); + if (code) + goto error; + +- code = _kadm5_initialize_rpcsec_gss_handle(handle, client_name, +- svcname); +- if (code != 0) { +- goto error; +- } +- + *server_handle = (void *) handle; + + goto cleanup; +@@ -653,6 +788,8 @@ + krb5_free_principal(handle->context, server); + if (code) + free(handle); ++ free_srv_names(kadmin_srv_names); ++ free(tmp_srv_names[0]); + + return code; + } +@@ -665,46 +802,43 @@ + { + kadm5_ret_t code; + krb5_ccache ccache = NULL; +- krb5_principal cprinc; + char svcbuf[BUFSIZ], *service, *host, *svcname, *save; ++ char strtok_buf[BUFSIZ]; + + *server_out = NULL; + +- /* +- * Convert the RPCSEC_GSS version to the host based version as this +- * is what gic expects. +- */ +- if ((svcname = strdup(svcname_in)) == NULL) { +- code = ENOMEM; +- goto error; +- } +- if ((service = strtok_r(svcname, "@", &save)) != NULL) { +- if ((host = strtok_r(NULL, "@", &save)) != NULL) { +- char *str = NULL; +- /* +- * We want the canonical name here, via sname_to_principal. +- */ +- code = krb5_sname_to_principal(handle->context, host, service, +- KRB5_NT_SRV_HST, &cprinc); +- if (code) { +- free(svcname); +- goto error; +- } +- code = krb5_unparse_name_flags(handle->context, cprinc, +- KRB5_PRINCIPAL_UNPARSE_NO_REALM, &str); +- krb5_free_principal(handle->context, cprinc); +- if (code) { +- free(svcname); +- goto error; +- } +- (void) strncpy(svcbuf, str, sizeof(svcbuf)); +- krb5_free_unparsed_name(handle->context, str); +- } ++ if (strpbrk(svcname_in, "@") == NULL) { ++ svcname = svcname_in; + } else { +- strncpy(svcbuf, svcname, sizeof(svcbuf)); +- svcbuf[sizeof(svcname)-1] = '\0'; ++ /* ++ * Convert the RPCSEC_GSS version to the host based version as this ++ * is what gic expects. ++ */ ++ (void) strlcpy(strtok_buf, svcname_in, sizeof(strtok_buf)); ++ service = strtok_r(strtok_buf, "@", &save); ++ if ((host = strtok_r(NULL, "@", &save)) != NULL) { ++ char *str = NULL; ++ krb5_principal cprinc; ++ /* ++ * We want the canonical name here, via sname_to_principal. ++ */ ++ code = krb5_sname_to_principal(handle->context, host, service, ++ KRB5_NT_SRV_HST, &cprinc); ++ if (code) ++ goto error; ++ ++ code = krb5_unparse_name_flags(handle->context, cprinc, ++ KRB5_PRINCIPAL_UNPARSE_NO_REALM, ++ &str); ++ krb5_free_principal(handle->context, cprinc); ++ if (code) ++ goto error; ++ ++ (void) strlcpy(svcbuf, str, sizeof(svcbuf)); ++ krb5_free_unparsed_name(handle->context, str); ++ svcname = svcbuf; ++ } + } +- free(svcname); + + /* + * Acquire a service ticket for svcname@realm for client, using password +@@ -741,7 +875,7 @@ + } + handle->lhandle->cache_name = handle->cache_name; + +- code = gic_iter(handle, init_type, ccache, client, pass, svcbuf, realm, ++ code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm, + server_out); + /* Improved error messages */ + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; +diff -u -r old/src/lib/kadm5/clnt/libkadm5clnt_mit.exports new/src/lib/kadm5/clnt/libkadm5clnt_mit.exports +--- old/src/lib/kadm5/clnt/libkadm5clnt_mit.exports 2015-02-11 21:16:43.000000000 -0600 ++++ new/src/lib/kadm5/clnt/libkadm5clnt_mit.exports 2015-05-28 15:34:35.828495806 -0500 +@@ -31,6 +31,11 @@ + kadm5_init_with_creds + kadm5_init_with_password + kadm5_init_with_skey ++kadm5_init_mm ++kadm5_init_anonymous_mm ++kadm5_init_with_creds_mm ++kadm5_init_with_password_mm ++kadm5_init_with_skey_mm + kadm5_lock + kadm5_modify_policy + kadm5_modify_principal +diff -u -r old/src/lib/kadm5/srv/server_init.c new/src/lib/kadm5/srv/server_init.c +--- old/src/lib/kadm5/srv/server_init.c 2015-05-28 15:10:45.100182433 -0500 ++++ new/src/lib/kadm5/srv/server_init.c 2015-05-29 12:40:47.354397224 -0500 +@@ -97,6 +97,29 @@ + server_handle); + } + ++/* ++ * The following *_mm() functions are also defined here because kadmin.local ++ * shares the same source as kadmin. One difference however is that ++ * kadmin.local links with libkadm5srv_mit.so instead of libkadm5clnt_mit.so so ++ * these functions must also be defined here. Given kadmin.local can only ++ * operate on one server, the *_mm() functions just pass in the first server in ++ * the list of service_names. ++ */ ++kadm5_ret_t kadm5_init_with_password_mm(krb5_context context, ++ char *client_name, ++ char *pass, char **service_names, ++ kadm5_config_params *params, ++ krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, ++ char **db_args, ++ void **server_handle) ++{ ++ return kadm5_init_with_password(context, client_name, pass, ++ service_names ? service_names[0] : NULL, ++ params, struct_version, api_version, ++ db_args, server_handle); ++} ++ + kadm5_ret_t kadm5_init_anonymous(krb5_context context, char *client_name, + char *service_name, + kadm5_config_params *params, +@@ -110,6 +133,20 @@ + server_handle); + } + ++kadm5_ret_t kadm5_init_anonymous_mm(krb5_context context, char *client_name, ++ char **service_names, ++ kadm5_config_params *params, ++ krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, ++ char **db_args, ++ void **server_handle) ++{ ++ return kadm5_init_anonymous(context, client_name, ++ service_names ? service_names[0] : NULL, ++ params, struct_version, api_version, ++ db_args, server_handle); ++} ++ + kadm5_ret_t kadm5_init_with_creds(krb5_context context, + char *client_name, + krb5_ccache ccache, +@@ -133,6 +170,22 @@ + server_handle); + } + ++kadm5_ret_t kadm5_init_with_creds_mm(krb5_context context, ++ char *client_name, ++ krb5_ccache ccache, ++ char **service_names, ++ kadm5_config_params *params, ++ krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, ++ char **db_args, ++ void **server_handle) ++{ ++ return kadm5_init_with_creds(context, client_name, ccache, ++ service_names ? service_names[0] : NULL, ++ params, struct_version, api_version, ++ db_args, server_handle); ++} ++ + + kadm5_ret_t kadm5_init_with_skey(krb5_context context, char *client_name, + char *keytab, char *service_name, +@@ -155,6 +208,20 @@ + server_handle); + } + ++kadm5_ret_t kadm5_init_with_skey_mm(krb5_context context, char *client_name, ++ char *keytab, char **service_names, ++ kadm5_config_params *params, ++ krb5_ui_4 struct_version, ++ krb5_ui_4 api_version, ++ char **db_args, ++ void **server_handle) ++{ ++ return kadm5_init_with_skey(context, client_name, keytab, ++ service_names ? service_names[0] : NULL, ++ params, struct_version, api_version, db_args, ++ server_handle); ++} ++ + kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass, + char *service_name, + kadm5_config_params *params_in, +diff -u -r old/src/slave/kpropd.c new/src/slave/kpropd.c +--- old/src/slave/kpropd.c 2015-05-28 15:10:45.194095824 -0500 ++++ new/src/slave/kpropd.c 2015-05-29 12:17:56.397347156 -0500 +@@ -609,7 +609,7 @@ + kadm5_ret_t retval; + krb5_principal iprop_svc_principal; + void *server_handle = NULL; +- char *iprop_svc_princstr = NULL, *master_svc_princstr = NULL; ++ char *iprop_svc_princstr = NULL, **master_svc_princstrs = NULL; + unsigned int pollin, backoff_time; + int backoff_cnt = 0, reinit_cnt = 0; + struct timeval iprop_start, iprop_end; +@@ -639,22 +639,9 @@ + params.mask |= KADM5_CONFIG_REALM; + params.realm = def_realm; + +- if (master_svc_princstr == NULL) { +-#if 0 +- retval = kadm5_get_kiprop_host_srv_name(kpropd_context, def_realm, +- &master_svc_princstr); +- if (retval) { +- com_err(progname, retval, +- _("%s: unable to get kiprop host based " +- "service name for realm %s\n"), +- progname, def_realm); +- return retval; +- } +-#endif +- char **kiprop_srv_names; +- ++ if (master_svc_princstrs == NULL) { + retval = kadm5_get_kiprop_host_srv_names(kpropd_context, def_realm, +- &kiprop_srv_names); ++ &master_svc_princstrs); + if (retval) { + com_err(progname, retval, + _("%s: unable to get kiprop host based " +@@ -662,15 +649,6 @@ + progname, def_realm); + return retval; + } +- master_svc_princstr = strdup(kiprop_srv_names[0]); +- free_srv_names(kiprop_srv_names); +- if (master_svc_princstr == NULL) { +- com_err(progname, retval, +- _("%s: unable to allocate memory for kiprop host based " +- "service name for realm %s\n"), +- progname, def_realm); +- return ENOMEM; +- } + } + + retval = krb5_sname_to_principal(kpropd_context, NULL, KIPROP_SVC_NAME, +@@ -714,9 +692,9 @@ + fprintf(stderr, _("Initializing kadm5 as client %s\n"), + iprop_svc_princstr); + } +- retval = kadm5_init_with_skey(kpropd_context, iprop_svc_princstr, ++ retval = kadm5_init_with_skey_mm(kpropd_context, iprop_svc_princstr, + srvtab, +- master_svc_princstr, ++ master_svc_princstrs, + ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_4, +@@ -1014,7 +992,7 @@ + syslog(LOG_ERR, _("ERROR returned by master KDC, bailing.\n")); + done: + free(iprop_svc_princstr); +- free(master_svc_princstr); ++ free_srv_names(master_svc_princstrs); + krb5_free_default_realm(kpropd_context, def_realm); + kadm5_destroy(server_handle); + krb5_free_context(kpropd_context); diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/036-verify-nofail.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/036-verify-nofail.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,96 @@ +# +# This patch changes the default behavior of MIT to that of Solaris, in which +# during initial authentication the KDC is verified by fetching a service +# ticket of the system. +# +# Note: MIT is unlikely to take this as a patch as they have a less strict +# position on validating a KDC during initial authentication. +# Patch source: in-house +# +diff -pur old/src/lib/krb5/krb/t_vfy_increds.c new/src/lib/krb5/krb/t_vfy_increds.c +--- old/src/lib/krb5/krb/t_vfy_increds.c 2015-05-28 14:42:17.094623052 -0600 ++++ new/src/lib/krb5/krb/t_vfy_increds.c 2015-05-28 15:53:08.651207899 -0600 +@@ -59,6 +59,9 @@ main(int argc, char **argv) + if (*argv != NULL && strcmp(*argv, "-n") == 0) { + argv++; + krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, TRUE); ++ } else if (*argv != NULL && strcmp(*argv, "-f") == 0) { ++ argv++; ++ krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, FALSE); + } + if (*argv != NULL) + check(krb5_parse_name(context, *argv, &princ)); +diff -pur old/src/lib/krb5/krb/t_vfy_increds.py new/src/lib/krb5/krb/t_vfy_increds.py +--- old/src/lib/krb5/krb/t_vfy_increds.py 2015-05-28 14:42:17.100176857 -0600 ++++ new/src/lib/krb5/krb/t_vfy_increds.py 2015-05-28 18:03:03.977698328 -0600 +@@ -53,29 +53,31 @@ realm.run(['./t_vfy_increds']) + realm.run(['./t_vfy_increds', '-n']) + + # Remove the keytab and verify again. This should succeed if nofail +-# is not set, and fail if it is set. ++# is set to false and fail otherwise. + os.remove(realm.keytab) +-realm.run(['./t_vfy_increds']) ++realm.run(['./t_vfy_increds'], expected_code=1) + realm.run(['./t_vfy_increds', '-n'], expected_code=1) ++realm.run(['./t_vfy_increds', '-f']) + + # Create an empty keytab file and verify again. This simulates a + # system where an admin ran "touch krb5.keytab" to work around a + # Solaris Kerberos bug where krb5_kt_default() fails if the keytab +-# file doesn't exist. Verification should succeed in nofail is not +-# set. (An empty keytab file appears as corrupt to keytab calls, ++# file doesn't exist. Verification should succeed if nofail is ++# set to false. (An empty keytab file appears as corrupt to keytab calls, + # causing a KRB5_KEYTAB_BADVNO error, so any tightening of the + # krb5_verify_init_creds semantics needs to take this into account.) + open(realm.keytab, 'w').close() +-realm.run(['./t_vfy_increds']) ++realm.run(['./t_vfy_increds'], expected_code=1) + realm.run(['./t_vfy_increds', '-n'], expected_code=1) ++realm.run(['./t_vfy_increds', '-f']) + os.remove(realm.keytab) + + # Add an NFS service principal to keytab. Verify should ignore it by +-# default (succeeding unless nofail is set), but should verify with it ++# default (succeeding only when nofail is unset), but should verify with it + # when it is specifically requested. + realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ) + realm.run_kadminl('ktadd ' + realm.nfs_princ) +-realm.run(['./t_vfy_increds']) ++realm.run(['./t_vfy_increds'], expected_code=1) + realm.run(['./t_vfy_increds', '-n'], expected_code=1) + realm.run(['./t_vfy_increds', realm.nfs_princ]) + realm.run(['./t_vfy_increds', '-n', realm.nfs_princ]) +@@ -84,7 +86,7 @@ realm.run(['./t_vfy_increds', '-n', real + # results with the default principal argument, but verification should + # now fail if we request it specifically. + realm.run_kadminl('change_password -randkey ' + realm.nfs_princ) +-realm.run(['./t_vfy_increds']) ++realm.run(['./t_vfy_increds'], expected_code=1) + realm.run(['./t_vfy_increds', '-n'], expected_code=1) + realm.run(['./t_vfy_increds', realm.nfs_princ], expected_code=1) + realm.run(['./t_vfy_increds', '-n', realm.nfs_princ], expected_code=1) +diff -pur old/src/lib/krb5/krb/vfy_increds.c new/src/lib/krb5/krb/vfy_increds.c +--- old/src/lib/krb5/krb/vfy_increds.c 2015-05-28 14:42:17.092454308 -0600 ++++ new/src/lib/krb5/krb/vfy_increds.c 2015-05-28 15:45:14.121515053 -0600 +@@ -33,8 +33,8 @@ + #include "k5-int.h" + #include "int-proto.h" + +-/* Return true if configuration demands that a keytab be present. (By default +- * verification will be skipped if no keytab exists.) */ ++/* Return true if configuration demands that a keytab be present. (Verification ++ * will only be skipped IFF verify_ap_req_nofail has been set to false.) */ + static krb5_boolean + nofail(krb5_context context, krb5_verify_init_creds_opt *options, + krb5_creds *creds) +@@ -48,7 +48,7 @@ nofail(krb5_context context, krb5_verify + KRB5_CONF_VERIFY_AP_REQ_NOFAIL, + &val) == 0) + return (val != 0); +- return FALSE; ++ return TRUE; + } + + static krb5_error_code diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/037-root-defcred.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/037-root-defcred.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,579 @@ +# +# This patch provides support in kerberos for root acquiring a default +# cred via either a root or host service principal keys in the keytab if +# root doesn't have a cred already. +# +# This is Solaris specific behavior that MIT will not take upstream. +# Patch source: in-house +# +diff -u -r old/src/include/k5-int.h new/src/include/k5-int.h +--- old/src/include/k5-int.h 2015-06-03 18:20:34.239623602 -0500 ++++ new/src/include/k5-int.h 2015-06-04 12:29:26.540947840 -0500 +@@ -2294,4 +2294,6 @@ + /* Define a shorter internal name for krb5_set_error_message. */ + #define k5_setmsg krb5_set_error_message + ++uid_t krb5_getuid(); ++ + #endif /* _KRB5_INT_H */ +Only in new/src/lib/gssapi/krb5: .init_sec_context.c.swp +diff -u -r old/src/lib/gssapi/krb5/init_sec_context.c new/src/lib/gssapi/krb5/init_sec_context.c +--- old/src/lib/gssapi/krb5/init_sec_context.c 2015-05-08 18:27:02.000000000 -0500 ++++ new/src/lib/gssapi/krb5/init_sec_context.c 2015-06-08 12:44:54.041616737 -0500 +@@ -104,6 +104,11 @@ + #endif + #include + #include ++#include ++ ++static OM_uint32 get_default_cred(OM_uint32 *, void *, gss_cred_id_t *); ++krb5_error_code krb5_kt_find_realm(krb5_context, krb5_keytab, krb5_principal, ++ krb5_data *); + + /* + * $Id$ +@@ -960,8 +965,11 @@ + /* verify the credential, or use the default */ + /*SUPPRESS 29*/ + if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) { +- major_status = kg_get_defcred(minor_status, &defcred); ++ major_status = get_default_cred(minor_status, context, ++ (gss_cred_id_t *)&defcred); ++ + if (major_status && GSS_ERROR(major_status)) { ++ save_error_info(*minor_status, context); + if (*context_handle == GSS_C_NO_CONTEXT) + krb5_free_context(context); + return(major_status); +@@ -1097,3 +1105,441 @@ + time_rec, + &exts); + } ++ ++/* Solaris Kerberos specific routines start */ ++ ++#define ROOT_UID 0 ++#define KRB5_DEFAULT_LIFE 60*60*10 ++ ++extern int ++safechown(const char *src, uid_t uid, gid_t gid, int mode); ++ ++/* Solaris Kerberos */ ++static OM_uint32 ++load_root_cred_using_keytab(OM_uint32 *minor_status, ++ krb5_context context, ++ const char *name, ++ krb5_int32 type) ++{ ++ krb5_creds my_creds; ++ krb5_principal me = NULL; ++ krb5_principal server = NULL; ++ krb5_error_code code; ++ krb5_ccache ccache = NULL; ++ krb5_keytab keytab = NULL; ++ krb5_timestamp now; ++ krb5_deltat lifetime = KRB5_DEFAULT_LIFE; /* -l option */ ++ krb5_get_init_creds_opt opt; ++ krb5_data tgtname = { ++ 0, ++ KRB5_TGS_NAME_SIZE, ++ KRB5_TGS_NAME ++ }; ++ char *svcname = NULL; ++ size_t kt_size; ++ krb5_boolean kt_is_file; ++ ++ if (!name) ++ return (GSS_S_FAILURE); ++ ++ memset((char *)&my_creds, 0, sizeof(my_creds)); ++ ++ if (code = krb5_kt_default(context, &keytab)) { ++ *minor_status = code; ++ return (GSS_S_FAILURE); ++ } ++ ++ if (code = krb5_kt_have_content(context, keytab)) { ++ *minor_status = code; ++ return (GSS_S_FAILURE); ++ } ++ ++ if (type == KRB5_NT_SRV_HST) ++ code = krb5_sname_to_principal(context, NULL, name, type, &me); ++ else ++ code = krb5_parse_name(context, name, &me); ++ ++ if (code == 0 && krb5_is_referral_realm(&me->realm)) { ++ krb5_data realm; ++ code = krb5_kt_find_realm(context, keytab, me, &realm); ++ if (code == 0) { ++ krb5_free_data_contents(context, &me->realm); ++ me->realm.length = realm.length; ++ me->realm.data = realm.data; ++ } else { ++ /* Try to set a useful error message */ ++ char *princ = NULL; ++ krb5_error_code ret; ++ ret = krb5_unparse_name(context, me, &princ); ++ ++ krb5_set_error_message(context, code, ++ _("Failed to find realm for %s in keytab"), ++ ret == 0 ? princ : "unknown"); ++ if (princ) ++ krb5_free_unparsed_name(context, princ); ++ } ++ } ++ ++ if (code) { ++ (void) krb5_kt_close(context, keytab); ++ krb5_free_principal(context, me); ++ *minor_status = code; ++ return (GSS_S_FAILURE); ++ } ++ ++ my_creds.client = me; ++ ++ if ((code = krb5_build_principal_ext(context, &server, ++ krb5_princ_realm(context, me)->length, ++ krb5_princ_realm(context, me)->data, ++ tgtname.length, tgtname.data, ++ krb5_princ_realm(context, me)->length, ++ krb5_princ_realm(context, me)->data, ++ 0))) { ++ *minor_status = code; ++ krb5_free_cred_contents(context, &my_creds); ++ (void) krb5_kt_close(context, keytab); ++ return (GSS_S_FAILURE); ++ } ++ ++ my_creds.server = server; ++ my_creds.times.starttime = 0; /* start timer ++ * when request ++ * gets to KDC ++ */ ++ if ((code = krb5_timeofday(context, &now))) { ++ *minor_status = code; ++ krb5_free_cred_contents(context, &my_creds); ++ (void) krb5_kt_close(context, keytab); ++ return (GSS_S_FAILURE); ++ } ++ my_creds.times.endtime = now + lifetime; ++ my_creds.times.renew_till = 0; ++ ++ memset(&opt, 0, sizeof (opt)); ++ krb5_get_init_creds_opt_init(&opt); ++ krb5_get_init_creds_opt_set_tkt_life(&opt, lifetime); ++ ++ code = krb5_unparse_name(context, server, &svcname); ++ if (code != 0) { ++ *minor_status = code; ++ krb5_free_cred_contents(context, &my_creds); ++ (void) krb5_kt_close(context, keytab); ++ return (GSS_S_FAILURE); ++ } ++ /* ++ * Evidently (sigh), on success, krb5_get_init_creds_keytab ++ * changes the my_creds princ ptrs so we need to free those ++ * princs (me&server) as well as freeing all of my_creds contents. ++ */ ++ code = krb5_get_init_creds_keytab(context, ++ &my_creds, me, keytab, ++ 0, svcname, &opt); ++ ++ (void) krb5_kt_close(context, keytab); ++ ++ if (svcname != NULL) { ++ free(svcname); ++ svcname = NULL; ++ } ++ if (code) { ++ *minor_status = code; ++ krb5_free_cred_contents(context, &my_creds); ++ return (GSS_S_FAILURE); ++ } ++ ++ krb5_free_principal(context, server); ++ server = NULL; ++ ++ code = krb5_cc_resolve (context, ++ krb5_cc_default_name(context), ++ &ccache); ++ if (code != 0) { ++ *minor_status = code; ++ krb5_free_cred_contents(context, &my_creds); ++ return (GSS_S_FAILURE); ++ } ++ ++ code = krb5_cc_initialize (context, ccache, me); ++ krb5_free_principal(context, me); ++ me = NULL; ++ if (code != 0) { ++ *minor_status = code; ++ krb5_free_cred_contents(context, &my_creds); ++ (void) krb5_cc_close(context, ccache); ++ return (GSS_S_FAILURE); ++ } ++ ++ code = krb5_cc_store_cred(context, ccache, ++ &my_creds); ++ krb5_free_cred_contents(context, &my_creds); ++ (void) krb5_cc_close(context, ccache); ++ ++ if (code) { ++ *minor_status = code; ++ return (GSS_S_FAILURE); ++ } ++ ++ return (GSS_S_COMPLETE); ++} ++ ++static OM_uint32 ++renew_ccache(OM_uint32 *minor_status, krb5_context context, uid_t uid) ++{ ++ krb5_principal me; ++ krb5_principal server; ++ krb5_creds creds; ++ krb5_creds tmpcreds; ++ krb5_creds *out_creds; ++ krb5_error_code code; ++ krb5_ccache ccache = NULL; ++ const char *ccache_name = NULL; ++ int options = 0; ++ krb5_data tgtname = { ++ 0, ++ KRB5_TGS_NAME_SIZE, ++ KRB5_TGS_NAME ++ }; ++ gid_t gid = getgid(); ++ ++ memset((char *)&creds, 0, sizeof(creds)); ++ memset((char *)&tmpcreds, 0, sizeof(creds)); ++ ++ if ((code = krb5_cc_default(context, &ccache))) { ++ *minor_status = code; ++ return (GSS_S_FAILURE); ++ } ++ ++ if ((code = krb5_cc_get_principal(context, ccache, &me)) != 0) { ++ *minor_status = code; ++ (void) krb5_cc_close(context, ccache); ++ return (GSS_S_FAILURE); ++ } ++ ++ creds.client = me; ++ ++ if((code = krb5_build_principal_ext(context, &server, ++ krb5_princ_realm(context, me)->length, ++ krb5_princ_realm(context, me)->data, ++ tgtname.length, tgtname.data, ++ krb5_princ_realm(context, me)->length, ++ krb5_princ_realm(context, me)->data, ++ 0))) { ++ krb5_free_principal(context, me); ++ (void) krb5_cc_close(context, ccache); ++ *minor_status = code; ++ return (GSS_S_FAILURE); ++ } ++ ++ creds.server = server; ++ creds.ticket_flags = TKT_FLG_RENEWABLE; ++ ++ if ((krb5_cc_retrieve_cred(context, ccache, KRB5_TC_MATCH_FLAGS, ++ &creds, &tmpcreds))) { ++ (void) krb5_cc_close(context, ccache); ++ return (KDC_ERR_BADOPTION); ++ } ++ ++ creds.ticket_flags = 0; ++ code = krb5_get_credentials_renew(context, options, ccache, ++ &creds, &out_creds); ++ krb5_free_cred_contents(context, &creds); ++ krb5_free_cred_contents(context, &tmpcreds); ++ ++ if (code) { ++ *minor_status = code; ++ (void) krb5_cc_close(context, ccache); ++ return (GSS_S_FAILURE); ++ } ++ ++ krb5_free_creds(context, out_creds); ++ ++ ccache_name = krb5_cc_default_name(context); ++ if (ccache_name == NULL) { ++ *minor_status = KRB5_FCC_INTERNAL; ++ (void) krb5_cc_close(context, ccache); ++ return (GSS_S_FAILURE); ++ } ++ ++ if (strncmp(ccache_name, "FILE:", strlen("FILE:")) == 0) { ++ ccache_name += strlen("FILE:"); ++ code = safechown(ccache_name, uid, gid, -1); ++ if (code == -1) { ++ (void) krb5_cc_destroy(context, ccache); ++ *minor_status = code; ++ return (GSS_S_FAILURE); ++ } ++ } ++ ++ (void) krb5_cc_close(context, ccache); ++ ++ return (GSS_S_COMPLETE); ++} ++ ++/* Solaris Kerberos */ ++#define SAM_ACCOUNT_LEN 17 /* 15:hostname + 1:$ + 1:\0 */ ++krb5_error_code ++get_sam_account_name(char **name) ++{ ++ char *p, localname[SAM_ACCOUNT_LEN]; ++ ++ if (name == NULL) ++ return (EINVAL); ++ ++ if (gethostname(localname, SAM_ACCOUNT_LEN) != 0) ++ return (errno); ++ ++ localname[SAM_ACCOUNT_LEN - 2] = '\0'; ++ ++ if ((p = strchr(localname, '.')) != NULL) ++ *p = '\0'; ++ ++ for (p = localname; *p; p++) ++ *p = toupper(*p); ++ ++ (void) strlcat(localname, "$", SAM_ACCOUNT_LEN); ++ ++ *name = strdup(localname); ++ if (*name == NULL) ++ return (ENOMEM); ++ ++ return (0); ++} ++ ++/* ++ * Solaris Kerberos: ++ * We enforce a minimum refresh time on the root cred. This avoids problems for ++ * the higher level communication protocol for having valid creds and ++ * setting up a valid context, only to have it expire before or while ++ * it is being used. For non root users we don't care since we do not refresh ++ * there creds, they get what they can get. ++ */ ++#define MIN_REFRESH_TIME 300 ++#define MIN_RENEW_TIME 1500 ++ ++/* get_default_cred() must be called with the krb5_mutex lock held */ ++static OM_uint32 ++get_default_cred(OM_uint32 *minor_status, void *ct, gss_cred_id_t *cred_handle) ++{ ++ krb5_timestamp now; ++ krb5_gss_cred_id_t cred; ++ OM_uint32 major; ++ OM_uint32 mntmp; ++ /* ++ * Solaris Kerberos ++ * Use krb5_getuid() to select the mechanism to obtain the uid. ++ */ ++ uid_t uid = krb5_getuid(); ++ krb5_context context = (krb5_context)ct; ++ ++ /* Get the default cred for user */ ++ if (((major = kg_get_defcred(minor_status, cred_handle)) != NULL) && ++ GSS_ERROR(major)) { ++ ++ /* If we're not root we're done */ ++ if (uid != ROOT_UID) ++ return (major); ++ ++ /* ++ * Try and get root's cred in the cache using keytab. ++ * ++ * First try "root", then try "host", and finally try the Security ++ * Account Manager (SAM) for MS AD interop. ++ */ ++ major = load_root_cred_using_keytab(minor_status, ++ context, "root", KRB5_NT_SRV_HST); ++ ++ if (major != GSS_S_COMPLETE) ++ major = load_root_cred_using_keytab(minor_status, ++ context, "host", ++ KRB5_NT_SRV_HST); ++ ++ if (major != GSS_S_COMPLETE) { ++ char *name; ++ krb5_error_code code; ++ ++ code = get_sam_account_name(&name); ++ if (code == 0) { ++ major = load_root_cred_using_keytab(minor_status, ++ context, name, ++ KRB5_NT_PRINCIPAL); ++ free(name); ++ } ++ } ++ ++ if (major != GSS_S_COMPLETE) ++ return (major); ++ ++ /* We should have valid tgt now in the cache, so get it. */ ++ major = kg_get_defcred(minor_status, cred_handle); ++ ++ return (major); ++ } ++ ++ /* We've got a gss cred handle that is a kerberos cred handle. */ ++ cred = (krb5_gss_cred_id_t)*cred_handle; ++ ++ /* If we can't get the time, assume the worst. */ ++ if (krb5_timeofday(context, &now)) { ++ (void) krb5_gss_release_cred(&mntmp, cred_handle); ++ return (GSS_S_CREDENTIALS_EXPIRED); ++ } ++ ++ /* ++ * Try and get root's cred in the cache using keytab. ++ * ++ * First try "root", then try "host", and finally try the Security ++ * Account Manager (SAM) for MS AD interop. ++ */ ++ /* If root's cred has expired re-get it */ ++ if (cred->expire && (cred->expire < now + MIN_REFRESH_TIME) && ++ (uid == ROOT_UID)) { ++ (void) krb5_gss_release_cred(&mntmp, cred_handle); ++ ++ major = load_root_cred_using_keytab(minor_status, ++ context, "root", KRB5_NT_SRV_HST); ++ ++ if (major != GSS_S_COMPLETE) ++ major = load_root_cred_using_keytab(minor_status, ++ context, "host", ++ KRB5_NT_SRV_HST); ++ ++ if (major != GSS_S_COMPLETE) { ++ char *name; ++ krb5_error_code code; ++ ++ code = get_sam_account_name(&name); ++ if (code == 0) { ++ major = load_root_cred_using_keytab(minor_status, ++ context, name, ++ KRB5_NT_PRINCIPAL); ++ free(name); ++ } ++ } ++ ++ if (major != GSS_S_COMPLETE) ++ return (major); ++ ++ major = kg_get_defcred(minor_status, cred_handle); ++ if (major != GSS_S_COMPLETE) ++ return (major); ++ ++ /* Any body else is SOL unless we can renew their credential cache */ ++ } else if (cred->expire && (cred->expire < now + MIN_RENEW_TIME) && ++ (cred->expire > now)) { ++ (void) krb5_gss_release_cred(&mntmp, cred_handle); ++ ++ major = renew_ccache(minor_status, context, uid); ++ if ((major != GSS_S_COMPLETE) && ++ (major != KDC_ERR_BADOPTION)) ++ return (major); ++ ++ major = kg_get_defcred(minor_status, cred_handle); ++ if (major != GSS_S_COMPLETE) ++ return (major); ++ ++ } ++ ++ /* Otherwise we got non expired creds */ ++ return (GSS_S_COMPLETE); ++} +diff -u -r old/src/lib/krb5/keytab/Makefile.in new/src/lib/krb5/keytab/Makefile.in +--- old/src/lib/krb5/keytab/Makefile.in 2015-06-03 18:20:34.099323499 -0500 ++++ new/src/lib/krb5/keytab/Makefile.in 2015-06-04 11:49:24.702959055 -0500 +@@ -13,6 +13,7 @@ + ktremove.o \ + ktfns.o \ + kt_file.o \ ++ kt_findrealm.o \ + kt_memory.o \ + kt_srvtab.o \ + read_servi.o \ +@@ -26,6 +27,7 @@ + $(OUTPRE)ktremove.$(OBJEXT) \ + $(OUTPRE)ktfns.$(OBJEXT) \ + $(OUTPRE)kt_file.$(OBJEXT) \ ++ $(OUTPRE)kt_findrealm.$(OBJEXT) \ + $(OUTPRE)kt_memory.$(OBJEXT) \ + $(OUTPRE)kt_srvtab.$(OBJEXT) \ + $(OUTPRE)read_servi.$(OBJEXT) \ +@@ -39,6 +41,7 @@ + $(srcdir)/ktremove.c \ + $(srcdir)/ktfns.c \ + $(srcdir)/kt_file.c \ ++ $(srcdir)/kt_findrealm.c \ + $(srcdir)/kt_memory.c \ + $(srcdir)/kt_srvtab.c \ + $(srcdir)/read_servi.c \ +diff -u -r old/src/lib/krb5/os/expand_path.c new/src/lib/krb5/os/expand_path.c +--- old/src/lib/krb5/os/expand_path.c 2015-05-08 18:27:02.000000000 -0500 ++++ new/src/lib/krb5/os/expand_path.c 2015-06-04 12:26:15.614110414 -0500 +@@ -291,7 +291,7 @@ + expand_userid(krb5_context context, PTYPE param, const char *postfix, + char **str) + { +- if (asprintf(str, "%lu", (unsigned long)getuid()) < 0) ++ if (asprintf(str, "%lu", (unsigned long)krb5_getuid()) < 0) + return ENOMEM; + return 0; + } +diff -u -r old/src/lib/krb5/os/Makefile.in new/src/lib/krb5/os/Makefile.in +--- old/src/lib/krb5/os/Makefile.in 2015-05-08 18:27:02.000000000 -0500 ++++ new/src/lib/krb5/os/Makefile.in 2015-06-04 12:00:15.668542036 -0500 +@@ -20,6 +20,7 @@ + gen_port.o \ + genaddrs.o \ + gen_rname.o \ ++ getuid.o \ + hostaddr.o \ + hostrealm.o \ + hostrealm_dns.o \ +@@ -44,6 +45,7 @@ + read_msg.o \ + read_pwd.o \ + realm_dom.o \ ++ safechown.o \ + sendto_kdc.o \ + sn2princ.o \ + thread_safe.o \ +@@ -66,6 +68,7 @@ + $(OUTPRE)gen_port.$(OBJEXT) \ + $(OUTPRE)genaddrs.$(OBJEXT) \ + $(OUTPRE)gen_rname.$(OBJEXT) \ ++ $(OUTPRE)getuid.$(OBJEXT) \ + $(OUTPRE)hostaddr.$(OBJEXT) \ + $(OUTPRE)hostrealm.$(OBJEXT) \ + $(OUTPRE)hostrealm_dns.$(OBJEXT) \ +@@ -90,6 +93,7 @@ + $(OUTPRE)read_msg.$(OBJEXT) \ + $(OUTPRE)read_pwd.$(OBJEXT) \ + $(OUTPRE)realm_dom.$(OBJEXT) \ ++ $(OUTPRE)safechown.$(OBJEXT) \ + $(OUTPRE)sendto_kdc.$(OBJEXT) \ + $(OUTPRE)sn2princ.$(OBJEXT) \ + $(OUTPRE)thread_safe.$(OBJEXT) \ +@@ -112,6 +116,7 @@ + $(srcdir)/gen_port.c \ + $(srcdir)/genaddrs.c \ + $(srcdir)/gen_rname.c \ ++ $(srcdir)/getuid.c \ + $(srcdir)/hostaddr.c \ + $(srcdir)/hostrealm.c \ + $(srcdir)/hostrealm_dns.c \ +@@ -136,6 +141,7 @@ + $(srcdir)/read_pwd.c \ + $(srcdir)/realm_dom.c \ + $(srcdir)/port2ip.c \ ++ $(srcdir)/safechown.c \ + $(srcdir)/sendto_kdc.c \ + $(srcdir)/sn2princ.c \ + $(srcdir)/thread_safe.c \ diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/038-krb5-conf.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/038-krb5-conf.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,208 @@ +# +# This patch provides support for Solaris interfaces in krb5.conf and kdc.conf +# files for auth_to_local_realm and kdc_max_tcp_connections. +# +# Note: MIT may be interested in these configuration options though they may +# want a more dynamic solution for handling maximum RPC and TCP connections +# through kdc_max_tcp_connections. +# Patch source: in-house +# +diff -pur old/src/include/k5-int.h new/src/include/k5-int.h +--- old/src/include/k5-int.h 2015-06-03 16:56:30.904839037 -0600 ++++ new/src/include/k5-int.h 2015-06-07 21:27:29.766113292 -0600 +@@ -263,6 +263,7 @@ typedef unsigned char u_char; + #define KRB5_CONF_MASTER_KEY_TYPE "master_key_type" + #define KRB5_CONF_MAX_LIFE "max_life" + #define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life" ++#define KRB5_CONF_MAX_TCP_CONNECTIONS "kdc_max_tcp_connections" + #define KRB5_CONF_MODULE "module" + #define KRB5_CONF_NOADDRESSES "noaddresses" + #define KRB5_CONF_NO_HOST_REFERRAL "no_host_referral" +diff -pur old/src/include/net-server.h new/src/include/net-server.h +--- old/src/include/net-server.h 2015-06-03 16:56:30.911020661 -0600 ++++ new/src/include/net-server.h 2015-06-07 00:39:54.939610507 -0600 +@@ -52,6 +52,7 @@ krb5_error_code loop_setup_network(verto + krb5_error_code loop_setup_signals(verto_ctx *ctx, void *handle, + void (*reset)()); + void loop_free(verto_ctx *ctx); ++void setup_kdc_options(krb5_int32); + + /* to be supplied by the server application */ + +diff -pur old/src/include/osconf.hin new/src/include/osconf.hin +--- old/src/include/osconf.hin 2015-06-03 16:56:30.905987490 -0600 ++++ new/src/include/osconf.hin 2015-06-06 00:24:02.109378599 -0600 +@@ -94,6 +94,10 @@ + #define DEFAULT_KDC_UDP_PORTLIST "88,750" + #define DEFAULT_KDC_TCP_PORTLIST "88" + ++/* control # of kdc tcp connection */ ++#define DEFAULT_KDC_TCP_CONNECTIONS 45 ++#define MIN_KDC_TCP_CONNECTIONS 10 ++ + /* + * Defaults for the KADM5 admin system. + */ +diff -pur old/src/kdc/main.c new/src/kdc/main.c +--- old/src/kdc/main.c 2015-06-03 16:56:30.884798447 -0600 ++++ new/src/kdc/main.c 2015-06-07 00:42:33.937821705 -0600 +@@ -203,7 +203,8 @@ static krb5_error_code + init_realm(kdc_realm_t *rdp, krb5_pointer aprof, char *realm, char *def_mpname, + krb5_enctype def_enctype, char *def_udp_ports, char *def_tcp_ports, + krb5_boolean def_manual, krb5_boolean def_restrict_anon, +- char **db_args, char *no_referral, char *hostbased) ++ char **db_args, char *no_referral, char *hostbased, ++ krb5_int32 def_max_tcp) + { + krb5_error_code kret; + krb5_boolean manual; +@@ -260,6 +261,8 @@ init_realm(kdc_realm_t *rdp, krb5_pointe + kret = ENOMEM; + goto whoops; + } ++ rdp->realm_max_tcp = def_max_tcp; ++ + /* Handle stash file */ + hierarchy[2] = KRB5_CONF_KEY_STASH_FILE; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_stash)) +@@ -621,6 +624,7 @@ initialize_realms(krb5_context kcontext, + char *hostbased = NULL; + int db_args_size = 0; + char **db_args = NULL; ++ krb5_int32 default_max_tcp; + + extern char *optarg; + +@@ -633,6 +637,13 @@ initialize_realms(krb5_context kcontext, + hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports)) + default_tcp_ports = 0; ++ hierarchy[1] = KRB5_CONF_MAX_TCP_CONNECTIONS; ++ if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, ++ &default_max_tcp)) { ++ default_max_tcp = DEFAULT_KDC_TCP_CONNECTIONS; ++ } else if (default_max_tcp < MIN_KDC_TCP_CONNECTIONS) { ++ default_max_tcp = DEFAULT_KDC_TCP_CONNECTIONS; ++ } + hierarchy[1] = KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE; + if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size)) + max_dgram_reply_size = MAX_DGRAM_SIZE; +@@ -694,7 +705,8 @@ initialize_realms(krb5_context kcontext, + menctype, default_udp_ports, + default_tcp_ports, manual, + def_restrict_anon, db_args, +- no_referral, hostbased); ++ no_referral, hostbased, ++ default_max_tcp); + if (retval) { + fprintf(stderr, _("%s: cannot initialize realm %s - " + "see log file for details\n"), +@@ -811,7 +823,7 @@ initialize_realms(krb5_context kcontext, + retval = init_realm(rdatap, aprof, lrealm, mkey_name, menctype, + default_udp_ports, default_tcp_ports, manual, + def_restrict_anon, db_args, no_referral, +- hostbased); ++ hostbased, default_max_tcp); + if (retval) { + fprintf(stderr, _("%s: cannot initialize realm %s - see log " + "file for details\n"), argv[0], lrealm); +@@ -967,6 +979,9 @@ int main(int argc, char **argv) + return 1; + } + ++ /* Guaranteed to have at least one realm, which is fed the def options */ ++ setup_kdc_options(shandle.kdc_realmlist[0]->realm_max_tcp); ++ + /* Handle each realm's ports */ + for (i=0; i< shandle.kdc_numrealms; i++) { + char *cp = shandle.kdc_realmlist[i]->realm_ports; +diff -pur old/src/kdc/realm_data.h new/src/kdc/realm_data.h +--- old/src/kdc/realm_data.h 2015-06-03 16:56:30.885907080 -0600 ++++ new/src/kdc/realm_data.h 2015-06-06 22:52:44.710060227 -0600 +@@ -66,6 +66,7 @@ typedef struct __kdc_realm_data { + */ + char *realm_ports; /* Per-realm KDC UDP port */ + char *realm_tcp_ports; /* Per-realm KDC TCP port */ ++ krb5_int32 realm_max_tcp; /* Maximum TCP connections allowed */ + /* + * Per-realm parameters. + */ +diff -pur old/src/lib/apputils/net-server.c new/src/lib/apputils/net-server.c +--- old/src/lib/apputils/net-server.c 2015-06-03 16:56:31.835537747 -0600 ++++ new/src/lib/apputils/net-server.c 2015-06-07 01:17:20.123103672 -0600 +@@ -345,6 +345,12 @@ loop_add_tcp_port(int port) + return 0; + } + ++void ++setup_kdc_options(krb5_int32 max_tcp) ++{ ++ max_tcp_or_rpc_data_connections = max_tcp; ++} ++ + krb5_error_code + loop_add_rpc_service(int port, u_long prognum, + u_long versnum, void (*dispatchfn)()) +diff -pur old/src/lib/krb5/os/localauth.c new/src/lib/krb5/os/localauth.c +--- old/src/lib/krb5/os/localauth.c 2015-06-03 16:56:31.860283075 -0600 ++++ new/src/lib/krb5/os/localauth.c 2015-06-03 22:18:21.968345429 -0600 +@@ -258,6 +258,49 @@ parse_mapping_value(const char *value, c + return 0; + } + ++/* ++ * Return true (1) if the princ's realm matches any of the ++ * 'auth_to_local_realm' relations in the default realm section. ++ */ ++static int ++an_to_ln_realm_chk( ++ krb5_context context, ++ krb5_const_principal aname, ++ char *def_realm) ++{ ++ char **values, **cpp; ++ const char *realm_names[4]; ++ krb5_error_code retval; ++ unsigned int realm_length = krb5_princ_realm(context, aname)->length; ++ ++ realm_names[0] = "realms"; ++ realm_names[1] = def_realm; ++ realm_names[2] = "auth_to_local_realm"; ++ realm_names[3] = 0; ++ ++ if (context->profile == 0) ++ return (0); ++ ++ retval = profile_get_values(context->profile, realm_names, ++ &values); ++ if (retval) ++ return (0); ++ ++ for (cpp = values; *cpp; cpp++) { ++ ++ if (((size_t) realm_length == strlen(*cpp)) && ++ (memcmp(*cpp, krb5_princ_realm(context, aname)->data, ++ realm_length) == 0)) { ++ ++ profile_free_list(values); ++ return (1); /* success */ ++ } ++ } ++ ++ profile_free_list(values); ++ return (0); ++} ++ + /* Apply the default an2ln method, which translates name@defaultrealm or + * name/defaultrealm@defaultrealm to name. */ + static krb5_error_code +@@ -274,7 +317,8 @@ an2ln_default(krb5_context context, krb5 + if (ret) + return KRB5_LNAME_NOTRANS; + +- if (!data_eq_string(aname->realm, def_realm)) { ++ if (!data_eq_string(aname->realm, def_realm) && !an_to_ln_realm_chk(context, ++ aname, def_realm)) { + ret = KRB5_LNAME_NOTRANS; + } else if (aname->length == 2) { + /* Allow a second component if it is the local realm. */ diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/039-15699628.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/039-15699628.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,26 @@ +# +# This patch fixes the following bug that was found in Solaris and relevant to +# MIT: +# +# 15699628 SUNBT7023055 mech_krb5.so.1`gsserrmap_destroy+0x4f coredump +# +# Note: Given that this bug is relevant to MIT source, this delta should be +# contributed upstream. +# Patch source: in-house +# +diff -pur old/src/lib/gssapi/krb5/disp_status.c new/src/lib/gssapi/krb5/disp_status.c +--- old/src/lib/gssapi/krb5/disp_status.c 2015-06-07 23:15:18.753872790 -0600 ++++ new/src/lib/gssapi/krb5/disp_status.c 2015-06-08 00:04:51.457635593 -0600 +@@ -98,6 +98,12 @@ static int save_error_string_nocopy(OM_u + } + } + ret = gsserrmap_replace_or_insert(p, minor_code, msg); ++ if (ret) { ++ gsserrmap_destroy(p); ++ free(p); ++ p = NULL; ++ (void) k5_setspecific(K5_KEY_GSS_KRB5_ERROR_MESSAGE, NULL); ++ } + fail: + #ifdef DEBUG + fprintf(stderr, " p=%p %s\n", (void *)p, ret ? "FAIL" : "SUCCESS"); diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/041-move_macros.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/041-move_macros.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,86 @@ +# +# Defines several macros in a public header. +# +# MIT defines g_OID_equal, g_OID_copy and GSS_EMPTY_BUFFER in private header +# files. Solaris testsuite usr/ontest/lib/libgss/gss_api references them. +# +# This patch is unlikely to be accepted upstream. +# Patch source: in-house +# +diff -pur old/src/lib/gssapi/generic/gssapiP_generic.h new/src/lib/gssapi/generic/gssapiP_generic.h +--- old/src/lib/gssapi/generic/gssapiP_generic.h 2015-05-08 16:27:02.000000000 -0700 ++++ new/src/lib/gssapi/generic/gssapiP_generic.h 2015-06-11 12:39:09.937906716 -0700 +@@ -49,10 +49,11 @@ + #include "k5-buf.h" + + /** helper macros **/ +- ++#ifndef g_OID_equal + #define g_OID_equal(o1, o2) \ + (((o1)->length == (o2)->length) && \ + (memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0)) ++#endif + + /* this code knows that an int on the wire is 32 bits. The type of + num should be at least this big, or the extra shifts may do weird +diff -pur old/src/lib/gssapi/generic/gssapi_ext.h new/src/lib/gssapi/generic/gssapi_ext.h +--- old/src/lib/gssapi/generic/gssapi_ext.h 2015-05-08 16:27:02.000000000 -0700 ++++ new/src/lib/gssapi/generic/gssapi_ext.h 2015-06-11 12:40:45.859478118 -0700 +@@ -43,6 +43,26 @@ gss_pname_to_uid + uid_t *uidOut); + #endif + ++ ++#ifndef GSS_EMPTY_BUFFER ++#define GSS_EMPTY_BUFFER(buf) ((buf) == NULL || \ ++ (buf)->value == NULL || (buf)->length == 0) ++#endif ++ ++#ifndef g_OID_equal ++#define g_OID_equal(o1, o2) \ ++ (((o1)->length == (o2)->length) && \ ++ (memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0)) ++#endif ++ ++#ifndef g_OID_copy ++#define g_OID_copy(o1, o2) \ ++do { \ ++ memcpy((o1)->elements, (o2)->elements, (o2)->length); \ ++ (o1)->length = (o2)->length; \ ++} while (0) ++#endif ++ + /** + * Provides a platform-specific name for a GSSAPI name as interpreted by a + * given mechanism. +diff -pur old/src/lib/gssapi/generic/gssapi_generic.h new/src/lib/gssapi/generic/gssapi_generic.h +--- old/src/lib/gssapi/generic/gssapi_generic.h 2015-05-08 16:27:02.000000000 -0700 ++++ new/src/lib/gssapi/generic/gssapi_generic.h 2015-06-11 12:35:47.817578844 -0700 +@@ -38,8 +38,10 @@ + #define GSSAPIGENERIC_END_DECLS + #endif + ++#ifndef GSS_EMPTY_BUFFER + #define GSS_EMPTY_BUFFER(buf) ((buf) == NULL || \ + (buf)->value == NULL || (buf)->length == 0) ++#endif + + GSSAPIGENERIC_BEGIN_DECLS + +diff -pur old/src/lib/gssapi/mechglue/mglueP.h new/src/lib/gssapi/mechglue/mglueP.h +--- old/src/lib/gssapi/mechglue/mglueP.h 2015-06-11 12:28:43.196963587 -0700 ++++ new/src/lib/gssapi/mechglue/mglueP.h 2015-06-11 12:40:27.690166071 -0700 +@@ -14,11 +14,13 @@ + #include "mechglue.h" + #include "gssapiP_generic.h" + ++#ifndef g_OID_copy + #define g_OID_copy(o1, o2) \ + do { \ + memcpy((o1)->elements, (o2)->elements, (o2)->length); \ + (o1)->length = (o2)->length; \ + } while (0) ++#endif + + /* + * Array of context IDs typed by mechanism OID diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/045-correct_err_code_for_bad_QOP.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/045-correct_err_code_for_bad_QOP.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,55 @@ +# +# This patch fixes krb5_gss_wrap_size_limit return code to comply with +# RFC 2743. +# +# Found by usr/ontest/lib/libgss/gss_api:gss.17. +# +# The patch was accepted upstream and will be part of krb5 1.14: +# https://github.com/krb5/krb5/commit/45ccc1c85f42e4f41f2042df8a51dd7826533029 +# Patch source: in-house +# +diff -pur old/src/lib/gssapi/krb5/k5seal.c new/src/lib/gssapi/krb5/k5seal.c +--- old/src/lib/gssapi/krb5/k5seal.c ++++ new/src/lib/gssapi/krb5/k5seal.c +@@ -337,7 +337,7 @@ kg_seal(minor_status, context_handle, co + them later. */ + if (qop_req != 0) { + *minor_status = (OM_uint32) G_UNKNOWN_QOP; +- return GSS_S_FAILURE; ++ return GSS_S_BAD_QOP; + } + + ctx = (krb5_gss_ctx_id_rec *) context_handle; +diff -pur old/src/lib/gssapi/krb5/k5sealiov.c new/src/lib/gssapi/krb5/k5sealiov.c +--- old/src/lib/gssapi/krb5/k5sealiov.c ++++ new/src/lib/gssapi/krb5/k5sealiov.c +@@ -277,7 +277,7 @@ kg_seal_iov(OM_uint32 *minor_status, + + if (qop_req != 0) { + *minor_status = (OM_uint32)G_UNKNOWN_QOP; +- return GSS_S_FAILURE; ++ return GSS_S_BAD_QOP; + } + + ctx = (krb5_gss_ctx_id_rec *)context_handle; +@@ -342,7 +342,7 @@ kg_seal_iov_length(OM_uint32 *minor_stat + + if (qop_req != GSS_C_QOP_DEFAULT) { + *minor_status = (OM_uint32)G_UNKNOWN_QOP; +- return GSS_S_FAILURE; ++ return GSS_S_BAD_QOP; + } + + ctx = (krb5_gss_ctx_id_rec *)context_handle; +diff -pur old/src/lib/gssapi/krb5/wrap_size_limit.c new/src/lib/gssapi/krb5/wrap_size_limit.c +--- old/src/lib/gssapi/krb5/wrap_size_limit.c ++++ new/src/lib/gssapi/krb5/wrap_size_limit.c +@@ -91,7 +91,7 @@ krb5_gss_wrap_size_limit(minor_status, c + /* only default qop is allowed */ + if (qop_req != GSS_C_QOP_DEFAULT) { + *minor_status = (OM_uint32) G_UNKNOWN_QOP; +- return(GSS_S_FAILURE); ++ return(GSS_S_BAD_QOP); + } + + ctx = (krb5_gss_ctx_id_rec *) context_handle; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/046-creds_usage_mismatch_err_code.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/046-creds_usage_mismatch_err_code.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,26 @@ +# +# In krb5_gss_store_cred_into(), if the credential is acceptor-only, set +# the minor status to G_STORE_ACCEPTOR_CRED_NOSUPP instead of +# G_BAD_USAGE. +# +# Found by usr/ontest/lib/libgss/gss_api:gss.27. +# +# Accepted upstream, will be part of krb5 1.14: +# https://github.com/krb5/krb5/commit/c0e16bb2f654038ad81602e89851f232916da051 +# Patch source: in-house +# +diff -pur old/src/lib/gssapi/krb5/store_cred.c new/src/lib/gssapi/krb5/store_cred.c +--- old/src/lib/gssapi/krb5/store_cred.c 2015-06-12 08:13:27.399201700 -0700 ++++ new/src/lib/gssapi/krb5/store_cred.c 2015-06-12 08:17:35.570611897 -0700 +@@ -241,7 +241,10 @@ krb5_gss_store_cred_into(OM_uint32 *mino + if (lifetime == 0) + return GSS_S_CREDENTIALS_EXPIRED; + +- if (actual_usage != GSS_C_INITIATE && actual_usage != GSS_C_BOTH) { ++ if (actual_usage == GSS_C_ACCEPT) { ++ *minor_status = G_STORE_ACCEPTOR_CRED_NOSUPP; ++ return GSS_S_FAILURE; ++ } else if (actual_usage != GSS_C_INITIATE && actual_usage != GSS_C_BOTH) { + *minor_status = G_BAD_USAGE; + return GSS_S_FAILURE; + } diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/047-dejagnu.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/047-dejagnu.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,208 @@ +# +# This patch fixes the dejagnu test suite and code to successfully run to +# completion. +# +# Note: Given that the changes are dependent upon Solaris' version of RPC it +# is not possible to contribute these changes to MIT unless RPC is also +# donated. +# Patch source: in-house +# +diff -pur old/src/kadmin/testing/scripts/init_db new/src/kadmin/testing/scripts/init_db +--- old/src/kadmin/testing/scripts/init_db 2015-06-10 00:50:51.127628066 -0600 ++++ new/src/kadmin/testing/scripts/init_db 2015-06-16 02:28:12.221384825 -0600 +@@ -215,7 +215,7 @@ changepw/kerberos@$REALM cil + + EOF + +-eval $LOCAL_MAKE_KEYTAB -princ kadmin/admin -princ kadmin/changepw -princ ovsec_adm/admin -princ ovsec_adm/changepw $K5ROOT/ovsec_adm.srvtab $REDIRECT ++eval $LOCAL_MAKE_KEYTAB -princ kadmin/$qualname -princ changepw/$qualname -princ ovsec_adm/admin -princ ovsec_adm/changepw $K5ROOT/ovsec_adm.srvtab $REDIRECT + + # Create $K5ROOT/setup.csh to make it easy to run other programs against + # the test db +diff -pur old/src/kadmin/testing/util/tcl_kadm5.c new/src/kadmin/testing/util/tcl_kadm5.c +--- old/src/kadmin/testing/util/tcl_kadm5.c 2015-06-10 00:50:51.128546692 -0600 ++++ new/src/kadmin/testing/util/tcl_kadm5.c 2015-06-16 02:25:40.402115955 -0600 +@@ -13,8 +13,11 @@ + #include + #include + #include ++#include + #include "tcl_kadm5.h" + ++#define MAXHOSTNAMELEN 256 ++ + struct flagval { + char *name; + krb5_flags val; +@@ -2504,12 +2507,14 @@ static int tcl_kadm5_get_privs(ClientDat + + void Tcl_kadm5_init(Tcl_Interp *interp) + { +- char buf[20]; ++ char buf[MAXHOSTNAMELEN], localname[MAXHOSTNAMELEN] = "localhost"; ++ ++ (void) gethostname(localname, MAXHOSTNAMELEN); + +- Tcl_SetVar(interp, "KADM5_ADMIN_SERVICE", +- KADM5_ADMIN_SERVICE, TCL_GLOBAL_ONLY); +- Tcl_SetVar(interp, "KADM5_CHANGEPW_SERVICE", +- KADM5_CHANGEPW_SERVICE, TCL_GLOBAL_ONLY); ++ (void) sprintf(buf, "%s@%s", KADM5_ADMIN_HOST_SERVICE, localname); ++ Tcl_SetVar(interp, "KADM5_ADMIN_SERVICE", buf, TCL_GLOBAL_ONLY); ++ (void) sprintf(buf, "%s@%s", KADM5_CHANGEPW_HOST_SERVICE, localname); ++ Tcl_SetVar(interp, "KADM5_CHANGEPW_SERVICE", buf, TCL_GLOBAL_ONLY); + (void) sprintf(buf, "%d", KADM5_STRUCT_VERSION); + Tcl_SetVar(interp, "KADM5_STRUCT_VERSION", buf, TCL_GLOBAL_ONLY); + (void) sprintf(buf, "%d", KADM5_API_VERSION_2); +diff -pur old/src/lib/kadm5/unit-test/api.current/init-v2.exp new/src/lib/kadm5/unit-test/api.current/init-v2.exp +--- old/src/lib/kadm5/unit-test/api.current/init-v2.exp 2015-06-10 00:50:51.345973412 -0600 ++++ new/src/lib/kadm5/unit-test/api.current/init-v2.exp 2015-06-17 15:27:14.063710212 -0600 +@@ -70,7 +70,7 @@ proc test102 {} { + [config_params {KADM5_CONFIG_ADMIN_SERVER} does.not.exist] \ + $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ + server_handle +- } "CANT_RESOLVE" ++ } "KADM5_RPC_ERROR" + } + if {$RPC} test102 + +@@ -434,10 +434,11 @@ expect { + + test "init 150" + proc test150 {} { +- global test KADM5_ADMIN_SERVICE ++ global test hostname + ++ get_hostname + kdestroy +- kinit testuser notathena "-S $KADM5_ADMIN_SERVICE" ++ kinit testuser notathena "-S kadmin/$hostname" + one_line_succeed_test { + kadm5_init_with_creds testuser null $KADM5_ADMIN_SERVICE \ + null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ +@@ -449,10 +450,11 @@ if {$RPC} test150 + + test "init 151" + proc test151 {} { +- global test KADM5_CHANGEPW_SERVICE ++ global test hostname + ++ get_hostname + kdestroy +- kinit testuser notathena "-S $KADM5_CHANGEPW_SERVICE" ++ kinit testuser notathena "-S changepw/$hostname" + one_line_succeed_test { + kadm5_init_with_creds testuser null $KADM5_CHANGEPW_SERVICE \ + null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ +diff -pur old/src/lib/kadm5/unit-test/api.current/init.exp new/src/lib/kadm5/unit-test/api.current/init.exp +--- old/src/lib/kadm5/unit-test/api.current/init.exp 2015-06-10 00:50:51.346734449 -0600 ++++ new/src/lib/kadm5/unit-test/api.current/init.exp 2015-06-16 02:25:07.155377656 -0600 +@@ -697,8 +697,8 @@ if {$RPC} { + # re-extract the keytab so it is right + exec rm $env(K5ROOT)/ovsec_adm.srvtab + exec $env(MAKE_KEYTAB) -princ ovsec_adm/admin -princ ovsec_adm/changepw \ +- -princ kadmin/admin -princ kadmin/changepw \ +- $env(K5ROOT)/ovsec_adm.srvtab ++ -princ kadmin/[exec $env(QUALNAME)] \ ++ -princ changepw/[exec $env(QUALNAME)] $env(K5ROOT)/ovsec_adm.srvtab + } + + return "" +diff -pur old/src/lib/kadm5/unit-test/destroy-test.c new/src/lib/kadm5/unit-test/destroy-test.c +--- old/src/lib/kadm5/unit-test/destroy-test.c 2015-06-10 00:50:51.347207985 -0600 ++++ new/src/lib/kadm5/unit-test/destroy-test.c 2015-06-12 01:15:05.073293523 -0600 +@@ -27,7 +27,7 @@ int main() + exit(2); + } + for(x = 0; x < TEST_NUM; x++) { +- ret = kadm5_init(context, "admin", "admin", KADM5_ADMIN_SERVICE, 0, ++ ret = kadm5_init(context, "admin", "admin", NULL, 0, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL, + &server_handle); + if(ret != KADM5_OK) { +diff -pur old/src/lib/kadm5/unit-test/handle-test.c new/src/lib/kadm5/unit-test/handle-test.c +--- old/src/lib/kadm5/unit-test/handle-test.c 2015-06-10 00:50:51.347684536 -0600 ++++ new/src/lib/kadm5/unit-test/handle-test.c 2015-06-12 01:17:51.121655473 -0600 +@@ -30,7 +30,7 @@ int main(int argc, char *argv[]) + + kadm5_init_krb5_context(&context); + +- ret = kadm5_init(context, "admin/none", "admin", KADM5_ADMIN_SERVICE, NULL, ++ ret = kadm5_init(context, "admin/none", "admin", NULL, NULL, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL, + &server_handle); + if(ret != KADM5_OK) { +diff -pur old/src/lib/kadm5/unit-test/iter-test.c new/src/lib/kadm5/unit-test/iter-test.c +--- old/src/lib/kadm5/unit-test/iter-test.c 2015-06-10 00:50:51.347990562 -0600 ++++ new/src/lib/kadm5/unit-test/iter-test.c 2015-06-12 01:18:32.114334236 -0600 +@@ -22,7 +22,7 @@ int main(int argc, char **argv) + com_err("iter-test", ret, "while initializing context"); + exit(1); + } +- ret = kadm5_init("admin", "admin", KADM5_ADMIN_SERVICE, 0, ++ ret = kadm5_init("admin", "admin", NULL, 0, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL, + &server_handle); + if (ret != KADM5_OK) { +diff -pur old/src/lib/kadm5/unit-test/Makefile.in new/src/lib/kadm5/unit-test/Makefile.in +--- old/src/lib/kadm5/unit-test/Makefile.in 2015-06-10 00:50:51.344879613 -0600 ++++ new/src/lib/kadm5/unit-test/Makefile.in 2015-06-12 01:08:32.007953859 -0600 +@@ -103,7 +103,7 @@ unit-test-server-setup:: + unit-test-server-cleanup:: + $(ENV_SETUP) $(STOP_SERVERS_LOCAL) + +-unit-test-client-body: site.exp test-noauth test-destroy test-handle-client ++unit-test-client-body: site.exp test-destroy test-handle-client + $(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \ + KINIT=$(BUILDTOP)/clients/kinit/kinit \ + KDESTROY=$(BUILDTOP)/clients/kdestroy/kdestroy \ +diff -pur old/src/lib/kadm5/unit-test/randkey-test.c new/src/lib/kadm5/unit-test/randkey-test.c +--- old/src/lib/kadm5/unit-test/randkey-test.c 2015-06-10 00:50:51.345250545 -0600 ++++ new/src/lib/kadm5/unit-test/randkey-test.c 2015-06-12 01:19:03.866788127 -0600 +@@ -23,7 +23,7 @@ int main() + kadm5_init_krb5_context(&context); + + krb5_parse_name(context, "testuser", &tprinc); +- ret = kadm5_init(context, "admin", "admin", KADM5_ADMIN_SERVICE, NULL, ++ ret = kadm5_init(context, "admin", "admin", NULL, NULL, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL, + &server_handle); + if(ret != KADM5_OK) { +diff -pur old/src/lib/kadm5/unit-test/setkey-test.c new/src/lib/kadm5/unit-test/setkey-test.c +--- old/src/lib/kadm5/unit-test/setkey-test.c 2015-06-10 00:50:51.345023163 -0600 ++++ new/src/lib/kadm5/unit-test/setkey-test.c 2015-06-12 01:19:20.512438967 -0600 +@@ -119,7 +119,7 @@ main(int argc, char **argv) + exit(1); + } + +- ret = kadm5_init(context, authprinc, NULL, KADM5_ADMIN_SERVICE, NULL, ++ ret = kadm5_init(context, authprinc, NULL, NULL, NULL, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL, + &handle); + if (ret) { +diff -pur old/src/tests/dejagnu/krb-standalone/kadmin.exp new/src/tests/dejagnu/krb-standalone/kadmin.exp +--- old/src/tests/dejagnu/krb-standalone/kadmin.exp 2015-06-10 00:50:51.143889459 -0600 ++++ new/src/tests/dejagnu/krb-standalone/kadmin.exp 2015-06-17 16:39:21.177011699 -0600 +@@ -1050,13 +1050,16 @@ proc kadmin_test { } { + return + } + ++ # The fallback to kadmin/admin is an invalid test case for Solaris RPC. ++ # Ergo this test is now commented out. ++ # + # test fallback to kadmin/admin +- if {![kadmin_delete kadmin/$hostname] \ +- || ![kadmin_list] \ +- || ![kadmin_add_rnd kadmin/$hostname -allow_tgs_req] \ +- || ![kadmin_list]} { +- return +- } ++ #if {![kadmin_delete kadmin/$hostname] \ ++ # || ![kadmin_list] \ ++ # || ![kadmin_add_rnd kadmin/$hostname -allow_tgs_req] \ ++ # || ![kadmin_list]} { ++ # return ++ #} + + verbose "kadmin_test succeeded" + } diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/048-dns-fix.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/048-dns-fix.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,244 @@ +# +# This patch fixes a number of issues with MIT regression tests caused by the +# fact that Solaris Kerberos fully qualifies DNS names when constructing service +# princpals names with the introduction of 030-force_dns_hostname_canon.patch. +# +# Note: Given that the changes made are to fix issues caused by a Solaris only +# feature that this patch is not intended to be contributed upstream. +# Patch source: in-house +# +diff -pur old/src/lib/kadm5/unit-test/api.current/init-v2.exp new/src/lib/kadm5/unit-test/api.current/init-v2.exp +--- old/src/lib/kadm5/unit-test/api.current/init-v2.exp 2015-06-21 00:18:20.230303372 -0600 ++++ new/src/lib/kadm5/unit-test/api.current/init-v2.exp 2015-06-22 17:04:49.232411015 -0600 +@@ -14,7 +14,7 @@ proc get_hostname { } { + return 1 + } + +- catch "exec $RESOLVE -q >myname" exec_output ++ catch "exec $RESOLVE -d >myname" exec_output + if ![string match "" $exec_output] { + send_log "$exec_output\n" + verbose $exec_output +diff -pur old/src/lib/kadm5/unit-test/api.current/init.exp new/src/lib/kadm5/unit-test/api.current/init.exp +--- old/src/lib/kadm5/unit-test/api.current/init.exp 2015-06-21 00:18:20.230782385 -0600 ++++ new/src/lib/kadm5/unit-test/api.current/init.exp 2015-06-22 17:32:38.659298951 -0600 +@@ -9,6 +9,39 @@ load_lib lib.t + + api_exit + api_start ++ ++if ![info exists RESOLVE] { ++ set RESOLVE [findfile $objdir/../../../tests/resolve/resolve] ++} ++proc get_hostname { } { ++ global RESOLVE ++ global hostname ++ ++ if {[info exists hostname]} { ++ return 1 ++ } ++ ++ catch "exec $RESOLVE -d >myname" exec_output ++ if ![string match "" $exec_output] { ++ send_log "$exec_output\n" ++ verbose $exec_output ++ send_error "ERROR: can't get hostname\n" ++ return 0 ++ } ++ set file [open myname r] ++ if { [ gets $file hostname ] == -1 } { ++ send_error "ERROR: no output from hostname\n" ++ return 0 ++ } ++ close $file ++ catch "exec rm -f myname" exec_output ++ ++ set hostname [string tolower $hostname] ++ verbose "hostname: $hostname" ++ ++ return 1 ++} ++ + test "init 1" + + one_line_fail_test_nochk \ +@@ -686,6 +719,10 @@ proc test45_46 {service} { + } + + if {$RPC} { ++ global hostname ++ ++ get_hostname ++ + test "init 45" + + test45_46 ovsec_adm/admin +@@ -697,8 +734,8 @@ if {$RPC} { + # re-extract the keytab so it is right + exec rm $env(K5ROOT)/ovsec_adm.srvtab + exec $env(MAKE_KEYTAB) -princ ovsec_adm/admin -princ ovsec_adm/changepw \ +- -princ kadmin/[exec $env(QUALNAME)] \ +- -princ changepw/[exec $env(QUALNAME)] $env(K5ROOT)/ovsec_adm.srvtab ++ -princ kadmin/$hostname -princ changepw/$hostname \ ++ $env(K5ROOT)/ovsec_adm.srvtab + } + + return "" +diff -pur old/src/tests/dejagnu/config/default.exp new/src/tests/dejagnu/config/default.exp +--- old/src/tests/dejagnu/config/default.exp 2015-06-21 00:18:20.155115365 -0600 ++++ new/src/tests/dejagnu/config/default.exp 2015-06-22 02:55:13.011533167 -0600 +@@ -682,7 +682,7 @@ proc get_hostname { } { + + envstack_push + setup_runtime_env +- catch "exec $RESOLVE -q >$tmppwd/hostname" exec_output ++ catch "exec $RESOLVE -d >$tmppwd/hostname" exec_output + envstack_pop + if ![string match "" $exec_output] { + verbose -log $exec_output +diff -pur old/src/tests/resolve/Makefile.in new/src/tests/resolve/Makefile.in +--- old/src/tests/resolve/Makefile.in 2015-06-21 00:18:20.152133289 -0600 ++++ new/src/tests/resolve/Makefile.in 2015-06-22 02:54:28.986659244 -0600 +@@ -8,7 +8,7 @@ SRCS=$(srcdir)/resolve.c $(srcdir)/addri + all:: resolve addrinfo-test fake-addrinfo-test + + resolve: resolve.o +- $(CC_LINK) -o $@ resolve.o $(LIBS) ++ $(CC_LINK) -o $@ resolve.o -lresolv $(LIBS) + + addrinfo-test: addrinfo-test.o + $(CC_LINK) -o $@ addrinfo-test.o $(SUPPORT_LIB) $(LIBS) +diff -pur old/src/tests/resolve/resolve.c new/src/tests/resolve/resolve.c +--- old/src/tests/resolve/resolve.c 2015-06-21 00:18:20.151976156 -0600 ++++ new/src/tests/resolve/resolve.c 2015-06-22 17:03:19.772488031 -0600 +@@ -73,6 +73,94 @@ char *strchr(); + #include + #include + ++#include ++#include ++#include ++ ++int ++resolve_dns(char *hostname) ++{ ++ unsigned char answer[NS_MAXMSG], *ansp = NULL, *end; ++ char name[NS_MAXDNAME]; ++ int anslen, len = 0, nq, na, hostlen, found = 0, type, class, ttl, size; ++ struct __res_state stat; ++ HEADER *h; ++ ++ (void) strncpy(name, hostname, NS_MAXDNAME); ++ ++ (void) memset(&stat, 0, sizeof (stat)); ++ if (res_ninit(&stat) == -1) ++ return 1; ++ anslen = sizeof (answer); ++ ++ len = res_nsearch(&stat, name, C_IN, T_A, answer, anslen); ++ if (len < sizeof (HEADER)) { ++ res_ndestroy(&stat); ++ return 2; ++ } ++ ++ ansp = answer; ++ end = ansp + anslen; ++ ++ h = (HEADER *)answer; ++ nq = ntohs(h->qdcount); ++ na = ntohs(h->ancount); ++ ansp += HFIXEDSZ; ++ ++ if (nq != 1 || na < 1) { ++ res_ndestroy(&stat); ++ return 3; ++ } ++ ++ hostlen = sizeof (name); ++ len = dn_expand(answer, end, ansp, name, hostlen); ++ if (len < 0) { ++ res_ndestroy(&stat); ++ return 4; ++ } ++ ++ ansp += len + QFIXEDSZ; ++ ++ if (ansp > end) { ++ res_ndestroy(&stat); ++ return 5; ++ } ++ ++ while (na-- > 0 && ansp < end) { ++ len = dn_expand(answer, end, ansp, name, hostlen); ++ ++ if (len < 0) ++ continue; ++ ++ ansp += len; /* name */ ++ NS_GET16(type, ansp); /* type */ ++ NS_GET16(class, ansp); /* class */ ++ NS_GET32(ttl, ansp); /* ttl */ ++ NS_GET16(size, ansp); /* size */ ++ ++ if ((ansp + size) > end) { ++ res_ndestroy(&stat); ++ return 6; ++ } ++ ++ ansp += len; ++ if (type == T_A && class == C_IN) { ++ found = 1; ++ break; ++ } ++ } ++ ++ if (found != 1) { ++ res_ndestroy(&stat); ++ return 7; ++ } ++ ++ (void) printf("%s\n", name); ++ res_ndestroy(&stat); ++ ++ return 0; ++} ++ + int + main(argc, argv) + int argc; +@@ -82,14 +170,16 @@ main(argc, argv) + char *ptr, *fqdn; + struct in_addr addrcopy; + struct hostent *host; +- int quiet = 0; ++ int ret, quiet = 0, dns = 0; + + argc--; argv++; + while (argc) { + if ((strcmp(*argv, "--quiet") == 0) || + (strcmp(*argv, "-q") == 0)) { + quiet++; +- } else ++ } else if (strcmp(*argv, "-d") == 0) ++ dns++; ++ else + break; + argc--; argv++; + } +@@ -105,6 +195,16 @@ main(argc, argv) + + myname[MAXHOSTNAMELEN] = '\0'; /* for safety */ + ++ if (dns) { ++ if (ret = resolve_dns(myname)) { ++ fprintf(stderr, ++ "Could not resolve hostname ('%s') through DNS - fatal: %d\n", ++ myname, ret); ++ exit(2); ++ } ++ exit(0); ++ } ++ + /* Look up the address... */ + if (!quiet) + printf("Hostname: %s\n", myname); diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/049-kpropd_no_retries.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/049-kpropd_no_retries.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,37 @@ +# +# Disable retrying in kpropd, when kadm5 interface cannot be initialized. +# +# When MIT kpropd cannot contact master KDC, it keeps retrying indefinitely. +# This doesn't play well with SMF; krb5_prop service is reported as online, +# while the daemon really just keeps failing to connect. +# +# This patch changes kpropd, so that it exits with error immediately. +# +# This is a Solaris specific change, it will not be contributed upstream. +# Patch source: in-house +# +diff -pur old/src/slave/kpropd.c new/src/slave/kpropd.c +--- old/src/slave/kpropd.c 2015-06-26 05:26:18.093175489 -0700 ++++ new/src/slave/kpropd.c 2015-07-07 05:33:21.888052914 -0700 +@@ -730,18 +730,10 @@ reinit: + + usage(); + } +- reinit_cnt++; + com_err(progname, retval, +- _("while initializing %s interface, retrying"), +- progname); +- backoff_time = backoff_from_master(&reinit_cnt); +- if (debug) { +- fprintf(stderr, _("Sleeping %d seconds to re-initialize " +- "kadm5 (krb5kdc not running?)\n"), +- backoff_time); +- } +- sleep(backoff_time); +- goto reinit; ++ _("while initializing %s interface for %s, exiting."), ++ progname, iprop_svc_princstr); ++ exit(1); + } + } + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/050-libverto_memleak.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/050-libverto_memleak.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,34 @@ +# +# Fixes a memory leak in libverto:vfree. +# +# Symbol vfree is defined as a macro vresize(X,0) and eventually realloc(X,0) +# gets called. According to realloc(3C), realloc with size=0 can return either +# NULL or a pointer that can be passed to free. This free-able pointer never +# gets freed in current code and leaks 8 B of memory on every event deletion. +# +# This patch replaces realloc(X,0) with free(). +# +# Reported by security/krb5api testsuite and libumem. +# +# This patch has been contributed to MIT in +# https://github.com/krb5/krb5/pull/294 +# +# MIT requested this issue be reported to libverto project: +# https://fedorahosted.org/libverto/ticket/13 +# Patch source: in-house +# +diff -pur old/src/util/verto/verto.c new/src/util/verto/verto.c +--- old/src/util/verto/verto.c 2015-05-08 16:27:02.000000000 -0700 ++++ new/src/util/verto/verto.c 2015-07-03 08:35:24.868287391 -0700 +@@ -132,6 +132,11 @@ vresize(void *mem, size_t size) + { + if (!resize_cb) + resize_cb = &realloc; ++ if (size == 0 && resize_cb == &realloc) { ++ /* avoid memleak as realloc(X,0) can return a free-able pointer */ ++ free(mem); ++ return (NULL); ++ } + return (*resize_cb)(mem, size); + } + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/051-fopenF.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/051-fopenF.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,851 @@ +# +# Modifies calls to fopen() to add 'F' flag so 32bit binaries can open > 256 +# file descriptors at once. +# +# MIT said they would take this patch however there has been talk of modifying +# fopen() for 32bit apps to extend the number of fds so this patch will not be +# submitted to MIT until this is resolved in ON. +# Patch source: in-house +# +diff -ur krb5-1.13.2/src/appl/gss-sample/gss-server.c krb5-1.13.2.fopen/src/appl/gss-sample/gss-server.c +--- krb5-1.13.2/src/appl/gss-sample/gss-server.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/appl/gss-sample/gss-server.c 2015-08-11 13:52:42.455625831 -0500 +@@ -699,7 +699,7 @@ + if (!strcmp(*argv, "/dev/null")) { + logfile = display_file = NULL; + } else { +- logfile = fopen(*argv, "a"); ++ logfile = fopen(*argv, "aF"); + display_file = logfile; + if (!logfile) { + perror(*argv); +diff -ur krb5-1.13.2/src/clients/ksu/authorization.c krb5-1.13.2.fopen/src/clients/ksu/authorization.c +--- krb5-1.13.2/src/clients/ksu/authorization.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/clients/ksu/authorization.c 2015-08-11 13:46:50.985382622 -0500 +@@ -100,7 +100,7 @@ + + /* k5login and k5users must be owned by target user or root */ + if (!k5login_flag){ +- if ((login_fp = fopen(k5login_path, "r")) == NULL) ++ if ((login_fp = fopen(k5login_path, "rF")) == NULL) + return 0; + if ( fowner(login_fp, pwd->pw_uid) == FALSE) { + fclose(login_fp); +@@ -109,7 +109,7 @@ + } + + if (!k5users_flag){ +- if ((users_fp = fopen(k5users_path, "r")) == NULL) { ++ if ((users_fp = fopen(k5users_path, "rF")) == NULL) { + return 0; + } + if ( fowner(users_fp, pwd->pw_uid) == FALSE){ +diff -ur krb5-1.13.2/src/clients/ksu/ccache.c krb5-1.13.2.fopen/src/clients/ksu/ccache.c +--- krb5-1.13.2/src/clients/ksu/ccache.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/clients/ksu/ccache.c 2015-08-11 13:27:17.131920647 -0500 +@@ -375,7 +375,7 @@ + + + /* open ~/.k5login */ +- if ((fp = fopen(pbuf, "r")) == NULL) { ++ if ((fp = fopen(pbuf, "rF")) == NULL) { + return 0; + } + /* +diff -ur krb5-1.13.2/src/clients/ksu/heuristic.c krb5-1.13.2.fopen/src/clients/ksu/heuristic.c +--- krb5-1.13.2/src/clients/ksu/heuristic.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/clients/ksu/heuristic.c 2015-08-11 13:53:18.318187882 -0500 +@@ -222,7 +222,7 @@ + k5users_flag = stat(k5users_path, &tb); + + if (!k5login_flag){ +- if ((login_fp = fopen(k5login_path, "r")) == NULL) ++ if ((login_fp = fopen(k5login_path, "rF")) == NULL) + return 0; + if ( fowner(login_fp, pwd->pw_uid) == FALSE){ + close_time(1 /*k5users_flag*/, (FILE *) 0 /*users_fp*/, +@@ -231,7 +231,7 @@ + } + } + if (!k5users_flag){ +- if ((users_fp = fopen(k5users_path, "r")) == NULL) ++ if ((users_fp = fopen(k5users_path, "rF")) == NULL) + return 0; + + if ( fowner(users_fp, pwd->pw_uid) == FALSE){ +diff -ur krb5-1.13.2/src/kadmin/dbutil/dump.c krb5-1.13.2.fopen/src/kadmin/dbutil/dump.c +--- krb5-1.13.2/src/kadmin/dbutil/dump.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/kadmin/dbutil/dump.c 2015-08-11 13:41:07.987791713 -0500 +@@ -1195,7 +1195,7 @@ + char buf[BUFSIZ]; + FILE *f; + +- f = fopen(ifile, "r"); ++ f = fopen(ifile, "rF"); + if (f == NULL) + return 0; /* aliasing other errors to ENOENT here is OK */ + +@@ -1517,7 +1517,7 @@ + + /* Open the dumpfile. */ + if (dumpfile != NULL) { +- f = fopen(dumpfile, "r"); ++ f = fopen(dumpfile, "rF"); + if (f == NULL) { + com_err(progname, errno, _("while opening %s"), dumpfile); + goto error; +diff -ur krb5-1.13.2/src/kadmin/server/ovsec_kadmd.c krb5-1.13.2.fopen/src/kadmin/server/ovsec_kadmd.c +--- krb5-1.13.2/src/kadmin/server/ovsec_kadmd.c 2015-08-11 14:09:05.551255648 -0500 ++++ krb5-1.13.2.fopen/src/kadmin/server/ovsec_kadmd.c 2015-08-11 13:45:04.700855296 -0500 +@@ -126,7 +126,7 @@ + unsigned long pid; + int st1, st2; + +- file = fopen(pid_file, "w"); ++ file = fopen(pid_file, "wF"); + if (file == NULL) + return errno; + pid = (unsigned long)getpid(); +diff -ur krb5-1.13.2/src/kdc/main.c krb5-1.13.2.fopen/src/kdc/main.c +--- krb5-1.13.2/src/kdc/main.c 2015-08-11 14:09:05.788213288 -0500 ++++ krb5-1.13.2.fopen/src/kdc/main.c 2015-08-11 13:40:50.652078819 -0500 +@@ -859,7 +859,7 @@ + FILE *file; + unsigned long pid; + +- file = fopen(path, "w"); ++ file = fopen(path, "wF"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +diff -ur krb5-1.13.2/src/lib/gssapi/generic/util_errmap.c krb5-1.13.2.fopen/src/lib/gssapi/generic/util_errmap.c +--- krb5-1.13.2/src/lib/gssapi/generic/util_errmap.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/gssapi/generic/util_errmap.c 2015-08-11 13:44:48.732993167 -0500 +@@ -176,7 +176,7 @@ + + #ifdef DEBUG + FILE *f; +- f = fopen("/dev/pts/9", "w+"); ++ f = fopen("/dev/pts/9", "w+F"); + if (f == NULL) + f = stderr; + #endif +diff -ur krb5-1.13.2/src/lib/gssapi/mechglue/g_initialize.c krb5-1.13.2.fopen/src/lib/gssapi/mechglue/g_initialize.c +--- krb5-1.13.2/src/lib/gssapi/mechglue/g_initialize.c 2015-08-11 14:09:05.250949351 -0500 ++++ krb5-1.13.2.fopen/src/lib/gssapi/mechglue/g_initialize.c 2015-08-11 13:38:16.832678845 -0500 +@@ -1357,7 +1357,7 @@ + char buffer[BUFSIZ], *oidStr; + FILE *confFile; + +- if ((confFile = fopen(fileName, "r")) == NULL) { ++ if ((confFile = fopen(fileName, "rF")) == NULL) { + return; + } + +diff -ur krb5-1.13.2/src/lib/kadm5/logger.c krb5-1.13.2.fopen/src/lib/kadm5/logger.c +--- krb5-1.13.2/src/lib/kadm5/logger.c 2015-08-11 14:09:05.365604955 -0500 ++++ krb5-1.13.2.fopen/src/lib/kadm5/logger.c 2015-08-11 13:50:11.011871109 -0500 +@@ -567,7 +567,7 @@ + if (cp[4] == ':' || cp[4] == '=') { + /* Solaris Kerberos */ + log_control.log_entries[i].lfu_fopen_mode = +- (cp[4] == ':') ? "a" : "w"; ++ (cp[4] == ':') ? "aF" : "wF"; + old_umask = umask(077); + f = fopen(&cp[5], + log_control.log_entries[i].lfu_fopen_mode); +@@ -802,7 +802,7 @@ + */ + else if (!strcasecmp(cp, "CONSOLE")) { + log_control.log_entries[i].ldu_filep = +- CONSOLE_OPEN("a+"); ++ CONSOLE_OPEN("a+F"); + if (log_control.log_entries[i].ldu_filep) { + set_cloexec_file(log_control.log_entries[i].ldu_filep); + log_control.log_entries[i].log_type = K_LOG_CONSOLE; +@@ -818,7 +818,7 @@ + */ + if (cp[6] == '=') { + log_control.log_entries[i].ldu_filep = +- DEVICE_OPEN(&cp[7], "w"); ++ DEVICE_OPEN(&cp[7], "wF"); + if (log_control.log_entries[i].ldu_filep) { + set_cloexec_file(log_control.log_entries[i].ldu_filep); + log_control.log_entries[i].log_type = K_LOG_DEVICE; +@@ -1157,7 +1157,7 @@ + * In case the old logfile did not get moved out of the + * way, open for append to prevent squashing the old logs. + */ +- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); ++ f = fopen(log_control.log_entries[lindex].lfu_fname, "a+F"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[lindex].lfu_filep = f; +diff -ur krb5-1.13.2/src/lib/kadm5/srv/server_acl.c krb5-1.13.2.fopen/src/lib/kadm5/srv/server_acl.c +--- krb5-1.13.2/src/lib/kadm5/srv/server_acl.c 2015-08-11 14:09:05.702364340 -0500 ++++ krb5-1.13.2.fopen/src/lib/kadm5/srv/server_acl.c 2015-08-11 13:38:00.105075682 -0500 +@@ -496,7 +496,7 @@ + + DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n")); + /* Open the ACL file for read */ +- afp = fopen(acl_acl_file, "r"); ++ afp = fopen(acl_acl_file, "rF"); + if (afp) { + set_cloexec_file(afp); + alineno = 1; +diff -ur krb5-1.13.2/src/lib/kdb/kdb_default.c krb5-1.13.2.fopen/src/lib/kdb/kdb_default.c +--- krb5-1.13.2/src/lib/kdb/kdb_default.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/kdb/kdb_default.c 2015-08-11 13:39:37.134237942 -0500 +@@ -251,9 +251,9 @@ + FILE *kf = NULL; + + #ifdef ANSI_STDIO +- if (!(kf = fopen(keyfile, "rb"))) ++ if (!(kf = fopen(keyfile, "rbF"))) + #else +- if (!(kf = fopen(keyfile, "r"))) ++ if (!(kf = fopen(keyfile, "rF"))) + #endif + return KRB5_KDB_CANTREAD_STORED; + set_cloexec_file(kf); +diff -ur krb5-1.13.2/src/lib/krb5/ccache/cc_dir.c krb5-1.13.2.fopen/src/lib/krb5/ccache/cc_dir.c +--- krb5-1.13.2/src/lib/krb5/ccache/cc_dir.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/krb5/ccache/cc_dir.c 2015-08-11 13:41:24.435225067 -0500 +@@ -153,7 +153,7 @@ + *residual_out = NULL; + + /* Open the file and read its first line. */ +- fp = fopen(primary_path, "r"); ++ fp = fopen(primary_path, "rF"); + if (fp == NULL) + return ENOENT; + ret = fgets(buf, sizeof(buf), fp); +diff -ur krb5-1.13.2/src/lib/krb5/ccache/ccselect_k5identity.c krb5-1.13.2.fopen/src/lib/krb5/ccache/ccselect_k5identity.c +--- krb5-1.13.2/src/lib/krb5/ccache/ccselect_k5identity.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/krb5/ccache/ccselect_k5identity.c 2015-08-11 13:26:23.773323178 -0500 +@@ -168,7 +168,7 @@ + free(homedir); + if (ret) + return ret; +- fp = fopen(filename, "r"); ++ fp = fopen(filename, "rF"); + free(filename); + if (fp == NULL) + return KRB5_PLUGIN_NO_HANDLE; +diff -ur krb5-1.13.2/src/lib/krb5/keytab/kt_file.c krb5-1.13.2.fopen/src/lib/krb5/keytab/kt_file.c +--- krb5-1.13.2/src/lib/krb5/keytab/kt_file.c 2015-08-11 14:09:05.422898949 -0500 ++++ krb5-1.13.2.fopen/src/lib/krb5/keytab/kt_file.c 2015-08-11 13:39:18.503152692 -0500 +@@ -1022,11 +1022,11 @@ + #define krb5_kt_default_vno ((krb5_kt_vno)KRB5_KT_DEFAULT_VNO) + + #ifdef ANSI_STDIO +-static char *const fopen_mode_rbplus= "rb+"; +-static char *const fopen_mode_rb = "rb"; ++static char *const fopen_mode_rbplus= "rb+F"; ++static char *const fopen_mode_rb = "rbF"; + #else +-static char *const fopen_mode_rbplus= "r+"; +-static char *const fopen_mode_rb = "r"; ++static char *const fopen_mode_rbplus= "r+F"; ++static char *const fopen_mode_rb = "rF"; + #endif + + static krb5_error_code +diff -ur krb5-1.13.2/src/lib/krb5/keytab/kt_srvtab.c krb5-1.13.2.fopen/src/lib/krb5/keytab/kt_srvtab.c +--- krb5-1.13.2/src/lib/krb5/keytab/kt_srvtab.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/krb5/keytab/kt_srvtab.c 2015-08-11 13:36:28.107510825 -0500 +@@ -342,9 +342,9 @@ + #include + + #ifdef ANSI_STDIO +-#define READ_MODE "rb" ++#define READ_MODE "rbF" + #else +-#define READ_MODE "r" ++#define READ_MODE "rF" + #endif + + /* The maximum sizes for V4 aname, realm, sname, and instance +1 */ +diff -ur krb5-1.13.2/src/lib/krb5/os/localaddr.c krb5-1.13.2.fopen/src/lib/krb5/os/localaddr.c +--- krb5-1.13.2/src/lib/krb5/os/localaddr.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/krb5/os/localaddr.c 2015-08-11 13:40:00.997639967 -0500 +@@ -368,7 +368,7 @@ + FILE *f; + + /* _PATH_PROCNET_IFINET6 */ +- f = fopen("/proc/net/if_inet6", "r"); ++ f = fopen("/proc/net/if_inet6", "rF"); + if (f) { + char ifname[21]; + unsigned int idx, pfxlen, scope, dadstat; +diff -ur krb5-1.13.2/src/lib/krb5/os/localauth_k5login.c krb5-1.13.2.fopen/src/lib/krb5/os/localauth_k5login.c +--- krb5-1.13.2/src/lib/krb5/os/localauth_k5login.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/krb5/os/localauth_k5login.c 2015-08-11 13:45:18.115959001 -0500 +@@ -116,7 +116,7 @@ + if (ret) + goto cleanup; + +- fp = fopen(filename, "r"); ++ fp = fopen(filename, "rF"); + if (fp == NULL) { + ret = errno; + goto cleanup; +diff -ur krb5-1.13.2/src/lib/krb5/rcache/t_replay.c krb5-1.13.2.fopen/src/lib/krb5/rcache/t_replay.c +--- krb5-1.13.2/src/lib/krb5/rcache/t_replay.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/krb5/rcache/t_replay.c 2015-08-11 13:45:29.971685638 -0500 +@@ -66,7 +66,7 @@ + krb5_int32 usec; + krb5_timestamp timestamp; + +- fp = fopen(filename, "r"); ++ fp = fopen(filename, "rF"); + if (!fp) { + fprintf(stderr, "Can't open filename: %s\n", strerror(errno)); + return; +diff -ur krb5-1.13.2/src/lib/krb5/unicode/ucdata/ucdata.c krb5-1.13.2.fopen/src/lib/krb5/unicode/ucdata/ucdata.c +--- krb5-1.13.2/src/lib/krb5/unicode/ucdata/ucdata.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/krb5/unicode/ucdata/ucdata.c 2015-08-11 13:43:57.692003927 -0500 +@@ -156,7 +156,7 @@ + _ucprop_size = 0; + } + +- if ((in = _ucopenfile(paths, "ctype.dat", "rb")) == 0) ++ if ((in = _ucopenfile(paths, "ctype.dat", "rbF")) == 0) + return -1; + + /* +@@ -337,7 +337,7 @@ + _uccase_size = 0; + } + +- if ((in = _ucopenfile(paths, "case.dat", "rb")) == 0) ++ if ((in = _ucopenfile(paths, "case.dat", "rbF")) == 0) + return -1; + + /* +@@ -532,7 +532,7 @@ + _uccomp_size = 0; + } + +- if ((in = _ucopenfile(paths, "comp.dat", "rb")) == 0) ++ if ((in = _ucopenfile(paths, "comp.dat", "rbF")) == 0) + return -1; + + /* +@@ -730,7 +730,7 @@ + _ucdcmp_size = 0; + } + +- if ((in = _ucopenfile(paths, "decomp.dat", "rb")) == 0) ++ if ((in = _ucopenfile(paths, "decomp.dat", "rbF")) == 0) + return -1; + + /* +@@ -785,7 +785,7 @@ + _uckdcmp_size = 0; + } + +- if ((in = _ucopenfile(paths, "kdecomp.dat", "rb")) == 0) ++ if ((in = _ucopenfile(paths, "kdecomp.dat", "rbF")) == 0) + return -1; + + /* +@@ -1042,7 +1042,7 @@ + _uccmcl_size = 0; + } + +- if ((in = _ucopenfile(paths, "cmbcl.dat", "rb")) == 0) ++ if ((in = _ucopenfile(paths, "cmbcl.dat", "rbF")) == 0) + return -1; + + /* +@@ -1138,7 +1138,7 @@ + _ucnum_size = 0; + } + +- if ((in = _ucopenfile(paths, "num.dat", "rb")) == 0) ++ if ((in = _ucopenfile(paths, "num.dat", "rbF")) == 0) + return -1; + + /* +diff -ur krb5-1.13.2/src/lib/krb5/unicode/ucdata/ucgendat.c krb5-1.13.2.fopen/src/lib/krb5/unicode/ucdata/ucgendat.c +--- krb5-1.13.2/src/lib/krb5/unicode/ucdata/ucgendat.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/krb5/unicode/ucdata/ucgendat.c 2015-08-11 13:51:21.938013410 -0500 +@@ -1296,14 +1296,14 @@ + * Open the output file. + */ + snprintf(path, sizeof path, "%s" LDAP_DIRSEP "uctable.h", opath); +- if ((out = fopen(path, "w")) == 0) ++ if ((out = fopen(path, "wF")) == 0) + return; + #else + /* + * Open the ctype.dat file. + */ + snprintf(path, sizeof path, "%s" LDAP_DIRSEP "ctype.dat", opath); +- if ((out = fopen(path, "wb")) == 0) ++ if ((out = fopen(path, "wbF")) == 0) + return; + #endif + +@@ -1436,7 +1436,7 @@ + * Open the case.dat file. + */ + snprintf(path, sizeof path, "%s" LDAP_DIRSEP "case.dat", opath); +- if ((out = fopen(path, "wb")) == 0) ++ if ((out = fopen(path, "wbF")) == 0) + return; + + /* +@@ -1513,7 +1513,7 @@ + * Open the comp.dat file. + */ + snprintf(path, sizeof path, "%s" LDAP_DIRSEP "comp.dat", opath); +- if ((out = fopen(path, "wb")) == 0) ++ if ((out = fopen(path, "wbF")) == 0) + return; + + /* +@@ -1589,7 +1589,7 @@ + * Open the decomp.dat file. + */ + snprintf(path, sizeof path, "%s" LDAP_DIRSEP "decomp.dat", opath); +- if ((out = fopen(path, "wb")) == 0) ++ if ((out = fopen(path, "wbF")) == 0) + return; + + hdr[1] = decomps_used; +@@ -1682,7 +1682,7 @@ + * Open the kdecomp.dat file. + */ + snprintf(path, sizeof path, "%s" LDAP_DIRSEP "kdecomp.dat", opath); +- if ((out = fopen(path, "wb")) == 0) ++ if ((out = fopen(path, "wbF")) == 0) + return; + + hdr[1] = kdecomps_used; +@@ -1762,7 +1762,7 @@ + * Open the cmbcl.dat file. + */ + snprintf(path, sizeof path, "%s" LDAP_DIRSEP "cmbcl.dat", opath); +- if ((out = fopen(path, "wb")) == 0) ++ if ((out = fopen(path, "wbF")) == 0) + return; + + /* +@@ -1836,7 +1836,7 @@ + * Open the num.dat file. + */ + snprintf(path, sizeof path, "%s" LDAP_DIRSEP "num.dat", opath); +- if ((out = fopen(path, "wb")) == 0) ++ if ((out = fopen(path, "wbF")) == 0) + return; + + /* +@@ -1908,7 +1908,7 @@ + case 'x': + argc--; + argv++; +- if ((in = fopen(argv[0], "r")) == 0) ++ if ((in = fopen(argv[0], "rF")) == 0) + fprintf(stderr, + "%s: unable to open composition exclusion file %s\n", + prog, argv[0]); +@@ -1924,7 +1924,7 @@ + } else { + if (in != stdin && in != NULL) + fclose(in); +- if ((in = fopen(argv[0], "r")) == 0) ++ if ((in = fopen(argv[0], "rF")) == 0) + fprintf(stderr, "%s: unable to open ctype file %s\n", + prog, argv[0]); + else { +diff -ur krb5-1.13.2/src/lib/rpc/getrpcent.c krb5-1.13.2.fopen/src/lib/rpc/getrpcent.c +--- krb5-1.13.2/src/lib/rpc/getrpcent.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/rpc/getrpcent.c 2015-08-11 13:25:58.125779542 -0500 +@@ -121,7 +121,7 @@ + if (d == 0) + return; + if (d->rpcf == NULL) { +- d->rpcf = fopen(RPCDB, "r"); ++ d->rpcf = fopen(RPCDB, "rF"); + if (d->rpcf) + set_cloexec_file(d->rpcf); + } else +@@ -160,7 +160,7 @@ + if (d == 0) + return(NULL); + if (d->rpcf == NULL) { +- if ((d->rpcf = fopen(RPCDB, "r")) == NULL) ++ if ((d->rpcf = fopen(RPCDB, "rF")) == NULL) + return (NULL); + set_cloexec_file(d->rpcf); + } +diff -ur krb5-1.13.2/src/lib/rpc/svc_auth_gssapi.c krb5-1.13.2.fopen/src/lib/rpc/svc_auth_gssapi.c +--- krb5-1.13.2/src/lib/rpc/svc_auth_gssapi.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/lib/rpc/svc_auth_gssapi.c 2015-08-11 13:52:59.222895641 -0500 +@@ -57,7 +57,7 @@ + { + static FILE *f; + if (f == NULL) +- f = fopen("/dev/pts/4", "a"); ++ f = fopen("/dev/pts/4", "aF"); + if (f) { + vfprintf(f, format, ap); + fflush(f); +diff -ur krb5-1.13.2/src/plugins/audit/test/au_test.c krb5-1.13.2.fopen/src/plugins/audit/test/au_test.c +--- krb5-1.13.2/src/plugins/audit/test/au_test.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/audit/test/au_test.c 2015-08-11 13:41:56.337778968 -0500 +@@ -54,7 +54,7 @@ + static krb5_error_code + open_au(krb5_audit_moddata *auctx) + { +- au_fd = fopen("au.log", "a+"); ++ au_fd = fopen("au.log", "a+F"); + if (au_fd == NULL) + return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */ + k5_mutex_init(&lock); +diff -ur krb5-1.13.2/src/plugins/kdb/db2/adb_openclose.c krb5-1.13.2.fopen/src/plugins/kdb/db2/adb_openclose.c +--- krb5-1.13.2/src/plugins/kdb/db2/adb_openclose.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/kdb/db2/adb_openclose.c 2015-08-11 13:51:43.944888036 -0500 +@@ -147,12 +147,12 @@ + * POSIX systems + */ + lockp->lockinfo.filename = strdup(lockfilename); +- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { ++ if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+F")) == NULL) { + /* + * maybe someone took away write permission so we could only + * get shared locks? + */ +- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r")) ++ if ((lockp->lockinfo.lockfile = fopen(lockfilename, "rF")) + == NULL) { + free(db); + return OSA_ADB_NOLOCKFILE; +diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/btree/bt_debug.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/btree/bt_debug.c +--- krb5-1.13.2/src/plugins/kdb/db2/libdb2/btree/bt_debug.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/btree/bt_debug.c 2015-08-11 13:57:58.472374191 -0500 +@@ -66,7 +66,7 @@ + first = 0; + + #ifndef TRACE_TO_STDERR +- if ((tracefp = fopen("/tmp/__bt_debug", "w")) != NULL) ++ if ((tracefp = fopen("/tmp/__bt_debug", "wF")) != NULL) + return; + #endif + tracefp = stderr; +diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c +--- krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c 2015-08-11 13:52:17.919976635 -0500 +@@ -224,7 +224,7 @@ + int argc, i, last; + char *lbuf, *argv[4], buf[512]; + +- if ((ifp = fopen("/dev/tty", "r")) == NULL) { ++ if ((ifp = fopen("/dev/tty", "rF")) == NULL) { + (void)fprintf(stderr, + "/dev/tty: %s\n", strerror(errno)); + exit(1); +@@ -624,7 +624,7 @@ + FILE *fp; + int status; + +- if ((fp = fopen(argv[1], "w")) == NULL) { ++ if ((fp = fopen(argv[1], "wF")) == NULL) { + (void)fprintf(stderr, "%s: %s\n", argv[1], strerror(errno)); + return; + } +@@ -649,7 +649,7 @@ + void *cookie; + + cookie = NULL; +- if ((fp = fopen(argv[1], "w")) == NULL) { ++ if ((fp = fopen(argv[1], "wF")) == NULL) { + (void)fprintf(stderr, "%s: %s\n", argv[1], strerror(errno)); + return; + } +@@ -679,7 +679,7 @@ + char *lp, buf[16 * 1024]; + + BUGdb = db; +- if ((fp = fopen(argv[1], "r")) == NULL) { ++ if ((fp = fopen(argv[1], "rF")) == NULL) { + (void)fprintf(stderr, "%s: %s\n", argv[1], strerror(errno)); + return; + } +diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c +--- krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c 2015-08-11 13:58:10.679774122 -0500 +@@ -103,7 +103,7 @@ + } + + if ( --argc ) { +- fp = fopen ( argv[0], "r"); ++ fp = fopen ( argv[0], "rF"); + i = 0; + while ( fgets(wp1, 8192, fp) && + fgets(wp2, 8192, fp) && +diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c +--- krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c 2015-08-11 13:37:47.137256617 -0500 +@@ -106,7 +106,7 @@ + } + + if ( --argc ) { +- fp = fopen ( argv[0], "r"); ++ fp = fopen ( argv[0], "rF"); + i = 0; + while ( fgets(wp1, 256, fp) && + fgets(wp2, 8192, fp) && +diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c +--- krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c 2015-08-11 13:46:12.282862828 -0500 +@@ -19,8 +19,8 @@ + val_line = (char *)malloc(300); + old = (char *)malloc(300); + +- keys = fopen("yp.keys", "rt"); +- vals = fopen("yp.total", "rt"); ++ keys = fopen("yp.keys", "rtF"); ++ vals = fopen("yp.total", "rtF"); + + passwd.bsize = 1024; + passwd.cachesize = 1024 * 1024; +@@ -61,8 +61,8 @@ + + + +- keys = fopen("yp.keys", "rt"); +- vals = fopen("yp.total", "rt"); ++ keys = fopen("yp.keys", "rtF"); ++ vals = fopen("yp.total", "rtF"); + get_key = (char *)malloc(100); + get_val = (char *)malloc(300); + +@@ -120,8 +120,8 @@ + get_key = (char *)malloc(100); + key2 = (char *)malloc(100); + +- keys = fopen("yp.keys", "rt"); +- vals = fopen("yp.total", "rt"); ++ keys = fopen("yp.keys", "rtF"); ++ vals = fopen("yp.total", "rtF"); + + db = dbopen("/usr/tmp/passwd.db", O_RDWR|O_BINARY, 0664, DB_HASH, &passwd); + n = 0; +@@ -148,8 +148,8 @@ + key2 = (char *)malloc(100); + get_val = (char *)malloc(300); + +- keys = fopen("yp.keys", "rt"); +- vals = fopen("yp.total", "rt"); ++ keys = fopen("yp.keys", "rtF"); ++ vals = fopen("yp.total", "rtF"); + + db = dbopen("/usr/tmp/passwd.db", O_RDWR|O_BINARY, 0664, DB_HASH, &passwd); + n = 0; +diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c +--- krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c 2015-08-11 13:35:18.997485992 -0500 +@@ -18,7 +18,7 @@ + FILE *fopen(), *fin; + + unlink("test.db"); +- if ((fin = fopen("data","r")) == NULL) { ++ if ((fin = fopen("data","rF")) == NULL) { + printf("Unable to open %s\n","data"); + exit(25); + } +diff -ur krb5-1.13.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.13.2.fopen/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +--- krb5-1.13.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2015-08-11 13:50:27.043180087 -0500 +@@ -178,7 +178,7 @@ + + /* set password in the file */ + old_mode = umask(0177); +- pfile = fopen(file_name, "a+"); ++ pfile = fopen(file_name, "a+F"); + if (pfile == NULL) { + com_err(me, errno, _("Failed to open file %s: %s"), file_name, + strerror (errno)); +@@ -230,7 +230,7 @@ + } + + omask = umask(077); +- newfile = fopen(tmp_file, "w"); ++ newfile = fopen(tmp_file, "wF"); + umask (omask); + if (newfile == NULL) { + com_err(me, errno, _("Error creating file %s"), tmp_file); +diff -ur krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c krb5-1.13.2.fopen/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c +--- krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c 2015-08-11 13:38:33.143752493 -0500 +@@ -87,7 +87,7 @@ + + *password_out = NULL; + +- fp = fopen(filename, "r"); ++ fp = fopen(filename, "rF"); + if (fp == NULL) { + ret = errno; + k5_setmsg(context, ret, _("Cannot open LDAP password file '%s': %s"), +diff -ur krb5-1.13.2/src/plugins/locate/python/py-locate.c krb5-1.13.2.fopen/src/plugins/locate/python/py-locate.c +--- krb5-1.13.2/src/plugins/locate/python/py-locate.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/locate/python/py-locate.c 2015-08-11 13:27:01.588118726 -0500 +@@ -98,7 +98,7 @@ + + Py_Initialize (); + // fprintf(stderr, "trying to load %s\n", SCRIPT_PATH); +- f = fopen(SCRIPT_PATH, "r"); ++ f = fopen(SCRIPT_PATH, "rF"); + if (f == NULL) { + if (sctx) + krb5_set_error_message(sctx, -1, +diff -ur krb5-1.13.2/src/plugins/preauth/otp/otp_state.c krb5-1.13.2.fopen/src/plugins/preauth/otp/otp_state.c +--- krb5-1.13.2/src/plugins/preauth/otp/otp_state.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/preauth/otp/otp_state.c 2015-08-11 13:45:35.971590182 -0500 +@@ -94,7 +94,7 @@ + return retval; + } + +- file = fopen(filename, "r"); ++ file = fopen(filename, "rF"); + if (file == NULL) { + retval = errno; + com_err("otp", retval, "Unable to open secret file '%s'", filename); +diff -ur krb5-1.13.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c krb5-1.13.2.fopen/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +--- krb5-1.13.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2015-08-11 14:09:05.679850166 -0500 ++++ krb5-1.13.2.fopen/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2015-08-11 13:47:00.667400771 -0500 +@@ -4256,7 +4256,7 @@ + goto cleanup; + } + +- fp = fopen(idopts->cert_filename, "rb"); ++ fp = fopen(idopts->cert_filename, "rbF"); + if (fp == NULL) { + pkiDebug("Failed to open PKCS12 file '%s', error %d\n", + idopts->cert_filename, errno); +diff -ur krb5-1.13.2/src/plugins/preauth/pkinit/pkinit_lib.c krb5-1.13.2.fopen/src/plugins/preauth/pkinit/pkinit_lib.c +--- krb5-1.13.2/src/plugins/preauth/pkinit/pkinit_lib.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/preauth/pkinit/pkinit_lib.c 2015-08-11 13:37:29.585859289 -0500 +@@ -365,7 +365,7 @@ + if (len <= 0 || filename == NULL) + return; + +- if ((f = fopen(filename, "w")) == NULL) ++ if ((f = fopen(filename, "wF")) == NULL) + return; + + set_cloexec_file(f); +diff -ur krb5-1.13.2/src/plugins/tls/k5tls/openssl.c krb5-1.13.2.fopen/src/plugins/tls/k5tls/openssl.c +--- krb5-1.13.2/src/plugins/tls/k5tls/openssl.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/plugins/tls/k5tls/openssl.c 2015-08-11 13:39:50.077659500 -0500 +@@ -348,7 +348,7 @@ + X509_INFO *xi; + int i; + +- fp = fopen(path, "r"); ++ fp = fopen(path, "rF"); + if (fp == NULL) + return errno; + sk = PEM_X509_INFO_read(fp, NULL, NULL, NULL); +diff -ur krb5-1.13.2/src/slave/kpropd.c krb5-1.13.2.fopen/src/slave/kpropd.c +--- krb5-1.13.2/src/slave/kpropd.c 2015-08-11 14:09:06.005972821 -0500 ++++ krb5-1.13.2.fopen/src/slave/kpropd.c 2015-08-11 13:36:51.675274120 -0500 +@@ -1306,7 +1306,7 @@ + if (retval) + return FALSE; + +- acl_file = fopen(acl_file_name, "r"); ++ acl_file = fopen(acl_file_name, "rF"); + if (acl_file == NULL) + return FALSE; + +diff -ur krb5-1.13.2/src/tests/asn.1/t_trval.c krb5-1.13.2.fopen/src/tests/asn.1/t_trval.c +--- krb5-1.13.2/src/tests/asn.1/t_trval.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/tests/asn.1/t_trval.c 2015-08-11 13:26:43.068639205 -0500 +@@ -93,7 +93,7 @@ + } + } else { + optflg = 0; +- if ((fp = fopen(*argv,"r")) == NULL) { ++ if ((fp = fopen(*argv,"rF")) == NULL) { + fprintf(stderr,"trval: unable to open %s\n", *argv); + continue; + } +diff -ur krb5-1.13.2/src/tests/gss-threads/gss-server.c krb5-1.13.2.fopen/src/tests/gss-threads/gss-server.c +--- krb5-1.13.2/src/tests/gss-threads/gss-server.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/tests/gss-threads/gss-server.c 2015-08-11 13:38:08.680788848 -0500 +@@ -733,7 +733,7 @@ + if (!strcmp(*argv, "/dev/null")) { + logfile = display_file = NULL; + } else { +- logfile = fopen(*argv, "a"); ++ logfile = fopen(*argv, "aF"); + display_file = logfile; + if (!logfile) { + perror(*argv); +diff -ur krb5-1.13.2/src/util/profile/prof_file.c krb5-1.13.2.fopen/src/util/profile/prof_file.c +--- krb5-1.13.2/src/util/profile/prof_file.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/util/profile/prof_file.c 2015-08-11 13:56:49.450805045 -0500 +@@ -123,7 +123,7 @@ + */ + FILE *f; + +- f = fopen(filespec, "r+"); ++ f = fopen(filespec, "r+F"); + if (f) { + fclose(f); + return 1; +@@ -147,7 +147,7 @@ + */ + FILE *f; + +- f = fopen(filespec, "r"); ++ f = fopen(filespec, "rF"); + if (f) { + fclose(f); + return 1; +@@ -346,7 +346,7 @@ + } + #endif + errno = 0; +- f = fopen(data->filespec, "r"); ++ f = fopen(data->filespec, "rF"); + if (f == NULL) { + retval = errno; + if (retval == 0) +@@ -411,7 +411,7 @@ + + errno = 0; + +- f = fopen(new_file, "w"); ++ f = fopen(new_file, "wF"); + if (!f) { + retval = errno; + if (retval == 0) +diff -ur krb5-1.13.2/src/util/profile/prof_parse.c krb5-1.13.2.fopen/src/util/profile/prof_parse.c +--- krb5-1.13.2/src/util/profile/prof_parse.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/util/profile/prof_parse.c 2015-08-11 13:40:28.548611243 -0500 +@@ -212,7 +212,7 @@ + incstate.root_section = state->root_section; + incstate.current_section = NULL; + +- fp = fopen(filename, "r"); ++ fp = fopen(filename, "rF"); + if (fp == NULL) + return PROF_FAIL_INCLUDE_FILE; + retval = parse_file(fp, &incstate, NULL); +diff -ur krb5-1.13.2/src/util/profile/test_parse.c krb5-1.13.2.fopen/src/util/profile/test_parse.c +--- krb5-1.13.2/src/util/profile/test_parse.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/util/profile/test_parse.c 2015-08-11 13:41:47.994085591 -0500 +@@ -25,7 +25,7 @@ + exit(1); + } + +- f = fopen(argv[1], "r"); ++ f = fopen(argv[1], "rF"); + if (!f) { + perror(argv[1]); + exit(1); diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/052-krb5-config.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/052-krb5-config.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,52 @@ +# +# Fixes krb5-config to produce correct output on Solaris. +# +# The krb5-config generated in Userland gate produces some superfluous +# output, that can even break some consumers: +# +# $ /usr/bin/krb5-config --libs krb5 +# -L/usr/lib/amd64 -R/usr/lib/amd64 -lc -z defs -lkrb5 -lk5crypto -lcom_err +# +# - default library path and runpath are not required +# - explicit paths are 64-bit specific +# - explicit linking with libc is not required for shared libraries +# - '-z defs' can break samba modules +# +# Note that we are adding -lc to LDFLAGS in component Makefile, because +# Solaris Studio 12.3 and newer no longer auto-adds it for shared objects. +# We need -lc for krb5 libs and plugins, but we shouldn't add -lc to +# krb5-config output. +# +# Also note, that we are adding -z defs to LDFLAGS, to achieve complete +# dependency closure of krb5 plugins, so that they can be used with RTLD_GROUP. +# Using RTLD_GROUP is motivated by symbol clashes avoidance; using direct +# bindings is not possible, because we support plugins from outside of Solaris. +# +# The patch is not intended for upstream contribution. +# Patch source: in-house +# +diff -pur old/src/build-tools/krb5-config.in new/src/build-tools/krb5-config.in +--- old/src/build-tools/krb5-config.in 2015-08-14 08:08:25.045131098 -0700 ++++ new/src/build-tools/krb5-config.in 2015-08-19 01:45:24.697166086 -0700 +@@ -30,10 +30,11 @@ version_string="Kerberos 5 release @KRB5 + prefix=@prefix@ + exec_prefix=@exec_prefix@ + includedir=@includedir@ +-libdir=@libdir@ ++libdir=/usr/lib + CC_LINK='@CC_LINK@' + KDB5_DB_LIB=@KDB5_DB_LIB@ +-LDFLAGS='@LDFLAGS@' ++# explicitly emptying LDFLAGS ++LDFLAGS= + RPATH_FLAG='@RPATH_FLAG@' + PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@' + PTHREAD_CFLAGS='@PTHREAD_CFLAGS@' +@@ -207,6 +208,7 @@ if test -n "$do_libs"; then + # Assumes /usr/lib is the standard library directory everywhere... + if test "$libdir" = /usr/lib; then + libdirarg= ++ PROG_RPATH_FLAGS= + else + libdirarg="-L$libdir" + fi diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/053-kernel-mech.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/053-kernel-mech.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,446 @@ +# +# This patch updates the MIT Kerberos mechanism to integrate with the kernel +# mechanism in Solaris with the following updates: +# +# 1. The MIT implementation uses a combination of static and dynamically +# linked mechanisms, whereas Solaris only used dynamically loaded mechanisms. +# The statically loaded mech for krb does not include a kernel module by +# default for MIT and any dynamically loadable mech is not added when the mech +# has the same OID. Therefore this patch adds the kernel module with the static +# linking method during mech initialization. +# +# 2. After implementing 1. another problem occurs when actually messaging +# with the kernel. Specifically the security context import fails due to +# differences in messaging information as follows: +# +# a. KV5M_CONTEXT +# b. KV5M_AUTH_CONTEXT +# c. KV5M_AUTHDATA +# d. KV5M_AUTHDATA_CONTEXT +# e. big_endian +# f. kernel uses queue structure vs. sequence state +# +# Using the LUCID context would pare down the information to what the kernel +# needs, but currently the LUCID functions do not serialize this data compared +# to the normal export security context routine. +# +# Note: That this patch is specific to the Solaris kernel implementation and +# therefore should not be considered as an upstream contribution to MIT. +# Patch source: in-house +# +diff -pur old/src/lib/gssapi/generic/gssapiP_generic.h new/src/lib/gssapi/generic/gssapiP_generic.h +--- old/src/lib/gssapi/generic/gssapiP_generic.h 2015-08-24 23:54:31.967668939 -0600 ++++ new/src/lib/gssapi/generic/gssapiP_generic.h 2015-08-24 23:53:45.867622444 -0600 +@@ -116,6 +116,12 @@ + #define g_seqstate_size gssint_g_seqstate_size + #define g_seqstate_externalize gssint_g_seqstate_externalize + #define g_seqstate_internalize gssint_g_seqstate_internalize ++#define g_order_init gssint_g_order_init ++#define g_order_check gssint_g_order_check ++#define g_order_free gssint_g_order_free ++#define g_queue_size gssint_g_queue_size ++#define g_queue_externalize gssint_g_queue_externalize ++#define g_queue_internalize gssint_g_queue_internalize + #define g_canonicalize_host gssint_g_canonicalize_host + #define g_local_host_name gssint_g_local_host_name + #define g_strdup gssint_g_strdup +@@ -185,6 +191,19 @@ long g_seqstate_externalize(g_seqnum_sta + long g_seqstate_internalize(g_seqnum_state *state_out, unsigned char **buf, + size_t *lenremain); + ++gss_int32 g_order_init (void **queue, uint64_t seqnum, ++ int do_replay, int do_sequence, int wide); ++ ++gss_int32 g_order_check (void **queue, uint64_t seqnum); ++ ++void g_order_free (void **queue); ++ ++gss_uint32 g_queue_size(void *vqueue, size_t *sizep); ++gss_uint32 g_queue_externalize(void *vqueue, unsigned char **buf, ++ size_t *lenremain); ++gss_uint32 g_queue_internalize(void **vqueue, unsigned char **buf, ++ size_t *lenremain); ++ + char *g_strdup (char *str); + + /** declarations of internal name mechanism functions **/ +diff -pur old/src/lib/gssapi/generic/Makefile.in new/src/lib/gssapi/generic/Makefile.in +--- old/src/lib/gssapi/generic/Makefile.in 2015-08-24 23:54:31.968226730 -0600 ++++ new/src/lib/gssapi/generic/Makefile.in 2015-08-24 23:53:45.871579061 -0600 +@@ -66,6 +66,7 @@ SRCS = \ + $(srcdir)/util_buffer.c \ + $(srcdir)/util_buffer_set.c \ + $(srcdir)/util_errmap.c \ ++ $(srcdir)/util_ordering.c \ + $(srcdir)/util_set.c \ + $(srcdir)/util_seqstate.c \ + $(srcdir)/util_token.c \ +@@ -83,6 +84,7 @@ OBJS = \ + $(OUTPRE)util_buffer.$(OBJEXT) \ + $(OUTPRE)util_buffer_set.$(OBJEXT) \ + $(OUTPRE)util_errmap.$(OBJEXT) \ ++ $(OUTPRE)util_ordering.$(OBJEXT) \ + $(OUTPRE)util_set.$(OBJEXT) \ + $(OUTPRE)util_seqstate.$(OBJEXT) \ + $(OUTPRE)util_token.$(OBJEXT) \ +@@ -98,6 +100,7 @@ STLIBOBJS = \ + util_buffer.o \ + util_buffer_set.o \ + util_errmap.o \ ++ util_ordering.o \ + util_set.o \ + util_seqstate.o \ + util_token.o \ +diff -pur old/src/lib/gssapi/krb5/accept_sec_context.c new/src/lib/gssapi/krb5/accept_sec_context.c +--- old/src/lib/gssapi/krb5/accept_sec_context.c 2015-08-24 23:54:31.971814896 -0600 ++++ new/src/lib/gssapi/krb5/accept_sec_context.c 2015-08-24 23:53:45.848389600 -0600 +@@ -441,6 +441,7 @@ kg_accept_krb5(minor_status, context_han + char *sptr; + OM_uint32 tmp; + size_t md5len; ++ int bigend; + krb5_gss_cred_id_t cred = 0; + krb5_data ap_rep, ap_req; + unsigned int i; +@@ -704,6 +705,7 @@ kg_accept_krb5(minor_status, context_han + } + + gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; ++ bigend = 0; + } else { + /* gss krb5 v1 */ + +@@ -731,14 +733,22 @@ kg_accept_krb5(minor_status, context_han + } + + ptr = (unsigned char *) authdat->checksum->contents; ++ bigend = 0; + +- TREAD_INT(ptr, tmp, 0); ++ TREAD_INT(ptr, tmp, bigend); + +- if (tmp != md5len) { +- code = KG_BAD_LENGTH; +- major_status = GSS_S_FAILURE; +- goto fail; +- } ++ if (tmp != md5len) { ++ ptr = (unsigned char *) authdat->checksum->contents; ++ bigend = 1; ++ ++ TREAD_INT(ptr, tmp, bigend); ++ ++ if (tmp != md5len) { ++ code = KG_BAD_LENGTH; ++ major_status = GSS_S_FAILURE; ++ goto fail; ++ } ++ } + + /* + The following section of code attempts to implement the +@@ -779,7 +789,7 @@ kg_accept_krb5(minor_status, context_han + + /* Read the token flags. Remember if GSS_C_DELEG_FLAG was set, but + * mask it out until we actually read a delegated credential. */ +- TREAD_INT(ptr, gss_flags, 0); ++ TREAD_INT(ptr, gss_flags, bigend); + token_deleg_flag = (gss_flags & GSS_C_DELEG_FLAG); + gss_flags &= ~GSS_C_DELEG_FLAG; + +@@ -788,8 +798,8 @@ kg_accept_krb5(minor_status, context_han + i = authdat->checksum->length - 24; + if (i && token_deleg_flag) { + if (i >= 4) { +- TREAD_INT16(ptr, option_id, 0); +- TREAD_INT16(ptr, option.length, 0); ++ TREAD_INT16(ptr, option_id, bigend); ++ TREAD_INT16(ptr, option.length, bigend); + i -= 4; + + if (i < option.length) { +@@ -886,6 +896,7 @@ kg_accept_krb5(minor_status, context_han + GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG | + GSS_C_EXTENDED_ERROR_FLAG))); + ctx->seed_init = 0; ++ ctx->big_endian = bigend; + ctx->cred_rcache = cred_rcache; + + /* XXX move this into gss_name_t */ +diff -pur old/src/lib/gssapi/krb5/gssapi_krb5.c new/src/lib/gssapi/krb5/gssapi_krb5.c +--- old/src/lib/gssapi/krb5/gssapi_krb5.c 2015-08-24 23:54:31.974446790 -0600 ++++ new/src/lib/gssapi/krb5/gssapi_krb5.c 2015-08-24 23:53:45.847910701 -0600 +@@ -938,6 +938,7 @@ static int gss_krb5mechglue_init(void) + + mech_krb5.mechNameStr = "kerberos_v5"; + mech_krb5.mech_type = (gss_OID)gss_mech_krb5; ++ mech_krb5.kmodName = "kmech_krb5"; + gssint_register_mechinfo(&mech_krb5); + + mech_krb5.mechNameStr = "kerberos_v5_old"; +diff -pur old/src/lib/gssapi/krb5/gssapiP_krb5.h new/src/lib/gssapi/krb5/gssapiP_krb5.h +--- old/src/lib/gssapi/krb5/gssapiP_krb5.h 2015-08-24 23:54:31.974815169 -0600 ++++ new/src/lib/gssapi/krb5/gssapiP_krb5.h 2015-08-24 23:53:45.845950677 -0600 +@@ -204,6 +204,7 @@ typedef struct _krb5_gss_ctx_id_rec { + krb5_magic magic; + unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */ + unsigned int established : 1; ++ unsigned int big_endian : 1; + unsigned int have_acceptor_subkey : 1; + unsigned int seed_init : 1; /* XXX tested but never actually set */ + unsigned int terminated : 1; +diff -pur old/src/lib/gssapi/krb5/import_sec_context.c new/src/lib/gssapi/krb5/import_sec_context.c +--- old/src/lib/gssapi/krb5/import_sec_context.c 2015-08-24 23:54:31.969983292 -0600 ++++ new/src/lib/gssapi/krb5/import_sec_context.c 2015-08-24 23:53:45.845397252 -0600 +@@ -107,7 +107,6 @@ krb5_gss_import_sec_context(minor_status + krb5_free_context(context); + return(GSS_S_FAILURE); + } +- krb5_free_context(context); + + ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used); + +diff -pur old/src/lib/gssapi/krb5/ser_sctx.c new/src/lib/gssapi/krb5/ser_sctx.c +--- old/src/lib/gssapi/krb5/ser_sctx.c 2015-08-24 23:54:31.969825966 -0600 ++++ new/src/lib/gssapi/krb5/ser_sctx.c 2015-08-24 23:53:45.847452068 -0600 +@@ -150,6 +150,22 @@ kg_oid_size(kcontext, arg, sizep) + } + + static krb5_error_code ++kg_queue_externalize(kcontext, arg, buffer, lenremain) ++ krb5_context kcontext; ++ krb5_pointer arg; ++ krb5_octet **buffer; ++ size_t *lenremain; ++{ ++ krb5_error_code err; ++ err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); ++ if (err == 0) ++ err = g_queue_externalize(arg, buffer, lenremain); ++ if (err == 0) ++ err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); ++ return err; ++} ++ ++static krb5_error_code + kg_seqstate_externalize(kcontext, arg, buffer, lenremain) + krb5_context kcontext; + g_seqnum_state arg; +@@ -166,6 +182,48 @@ kg_seqstate_externalize(kcontext, arg, b + } + + static krb5_error_code ++kg_queue_internalize(kcontext, argp, buffer, lenremain) ++ krb5_context kcontext; ++ krb5_pointer *argp; ++ krb5_octet **buffer; ++ size_t *lenremain; ++{ ++ krb5_int32 ibuf; ++ krb5_octet *bp; ++ size_t remain; ++ krb5_error_code err; ++ ++ bp = *buffer; ++ remain = *lenremain; ++ ++ /* Read in and check our magic number */ ++ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) ++ return (EINVAL); ++ ++ if (ibuf != KV5M_GSS_QUEUE) ++ return (EINVAL); ++ ++ err = g_queue_internalize(argp, &bp, &remain); ++ if (err) ++ return err; ++ ++ /* Read in and check our trailing magic number */ ++ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { ++ g_order_free(argp); ++ return (EINVAL); ++ } ++ ++ if (ibuf != KV5M_GSS_QUEUE) { ++ g_order_free(argp); ++ return (EINVAL); ++ } ++ ++ *buffer = bp; ++ *lenremain = remain; ++ return 0; ++} ++ ++static krb5_error_code + kg_seqstate_internalize(kcontext, argp, buffer, lenremain) + krb5_context kcontext; + g_seqnum_state *argp; +@@ -208,6 +266,26 @@ kg_seqstate_internalize(kcontext, argp, + } + + static krb5_error_code ++kg_queue_size(kcontext, arg, sizep) ++ krb5_context kcontext; ++ krb5_pointer arg; ++ size_t *sizep; ++{ ++ krb5_error_code kret; ++ size_t required; ++ ++ kret = EINVAL; ++ if (arg) { ++ required = 2*sizeof(krb5_int32); /* For the header and trailer */ ++ (void) g_queue_size(arg, &required); ++ ++ kret = 0; ++ *sizep += required; ++ } ++ return(kret); ++} ++ ++static krb5_error_code + kg_seqstate_size(kcontext, arg, sizep) + krb5_context kcontext; + g_seqnum_state arg; +@@ -319,8 +397,9 @@ kg_ctx_size(kcontext, arg, sizep) + &required); + + if (!kret && ctx->seqstate) +- kret = kg_seqstate_size(kcontext, ctx->seqstate, &required); ++ kret = kg_queue_size(kcontext, ctx->seqstate, &required); + ++#if 0 /* PROVIDE_KERNEL_IMPORT */ + if (!kret) + kret = krb5_size_opaque(kcontext, + KV5M_CONTEXT, +@@ -331,11 +410,13 @@ kg_ctx_size(kcontext, arg, sizep) + KV5M_AUTH_CONTEXT, + (krb5_pointer) ctx->auth_context, + &required); ++#endif /* PROVIDE_KERNEL_IMPORT */ + if (!kret && ctx->acceptor_subkey) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, (krb5_pointer) + &ctx->acceptor_subkey->keyblock, + &required); ++#if 0 /* PROVIDE_KERNEL_IMPORT */ + if (!kret && ctx->authdata) { + krb5_int32 i; + +@@ -358,6 +439,7 @@ kg_ctx_size(kcontext, arg, sizep) + &required); + } + } ++#endif /* PROVIDE_KERNEL_IMPORT */ + *sizep += required; + } + return(kret); +@@ -400,6 +482,8 @@ kg_ctx_externalize(kcontext, arg, buffer + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->established, + &bp, &remain); ++ (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian, ++ &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init, +@@ -468,9 +552,10 @@ kg_ctx_externalize(kcontext, arg, buffer + &bp, &remain); + + if (!kret && ctx->seqstate) +- kret = kg_seqstate_externalize(kcontext, ++ kret = kg_queue_externalize(kcontext, + ctx->seqstate, &bp, &remain); + ++#if 0 /* PROVIDE_KERNEL_IMPORT */ + if (!kret) + kret = krb5_externalize_opaque(kcontext, + KV5M_CONTEXT, +@@ -482,6 +567,7 @@ kg_ctx_externalize(kcontext, arg, buffer + KV5M_AUTH_CONTEXT, + (krb5_pointer) ctx->auth_context, + &bp, &remain); ++#endif /* PROVIDE_KERNEL_IMPORT */ + + if (!kret) + kret = krb5_ser_pack_int32((krb5_int32) ctx->proto, +@@ -501,6 +587,7 @@ kg_ctx_externalize(kcontext, arg, buffer + if (!kret) + kret = krb5_ser_pack_int32((krb5_int32) ctx->cred_rcache, + &bp, &remain); ++#if 0 /* PROVIDE_KERNEL_IMPORT */ + if (!kret) { + krb5_int32 i = 0; + +@@ -534,6 +621,7 @@ kg_ctx_externalize(kcontext, arg, buffer + &remain); + } + } ++#endif /* PROVIDE_KERNEL_IMPORT */ + /* trailer */ + if (!kret) + kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain); +@@ -611,6 +699,8 @@ kg_ctx_internalize(kcontext, argp, buffe + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->established = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ++ ctx->big_endian = (int) ibuf; ++ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->have_acceptor_subkey = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->seed_init = (int) ibuf; +@@ -695,12 +785,13 @@ kg_ctx_internalize(kcontext, argp, buffe + } + + if (!kret) { +- kret = kg_seqstate_internalize(kcontext, &ctx->seqstate, ++ kret = kg_queue_internalize(kcontext, &ctx->seqstate, + &bp, &remain); + if (kret == EINVAL) + kret = 0; + } + ++#if 0 /* PROVIDE_KERNEL_IMPORT */ + if (!kret) + kret = krb5_internalize_opaque(kcontext, + KV5M_CONTEXT, +@@ -712,6 +803,7 @@ kg_ctx_internalize(kcontext, argp, buffe + KV5M_AUTH_CONTEXT, + (krb5_pointer *) &ctx->auth_context, + &bp, &remain); ++#endif /* PROVIDE_KERNEL_IMPORT */ + + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); +@@ -731,6 +823,7 @@ kg_ctx_internalize(kcontext, argp, buffe + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->cred_rcache = ibuf; ++#if 0 /* PROVIDE_KERNEL_IMPORT */ + /* authdata */ + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); +@@ -769,6 +862,7 @@ kg_ctx_internalize(kcontext, argp, buffe + kret = 0; + } + } ++#endif /* PROVIDE_KERNEL_IMPORT */ + /* Get trailer */ + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); +--- krb5-1.13.3/src/lib/gssapi/generic/deps ++++ ./deps +@@ -64,6 +64,13 @@ util_errmap.so util_errmap.po $(OUTPRE)u + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + errmap.h gssapiP_generic.h gssapi_err_generic.h gssapi_ext.h \ + gssapi_generic.h util_errmap.c ++util_ordering.so util_ordering.po $(OUTPRE)util_ordering.$(OBJEXT): \ ++ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ ++ $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(COM_ERR_DEPS) \ ++ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-platform.h \ ++ $(top_srcdir)/include/k5-thread.h gssapiP_generic.h \ ++ gssapi_err_generic.h gssapi_ext.h gssapi_generic.h \ ++ util_ordering.c + util_set.so util_set.po $(OUTPRE)util_set.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(COM_ERR_DEPS) \ diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/054-trailing-comments.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/054-trailing-comments.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,22 @@ +# +# This patch provides support for trimming characters after a port +# specification like: +# kdc = foo.com:3434 # trailing comment +# +# MIT has said they have never supported comments after parameter assignments +# so this is Solaris only for now. +# Patch source: in-house +# +diff -ur krb5-1.13.2/src/lib/krb5/os/locate_kdc.c krb5-1.13.2.port-fix/src/lib/krb5/os/locate_kdc.c +--- krb5-1.13.2/src/lib/krb5/os/locate_kdc.c 2015-08-28 18:31:53.289596722 -0500 ++++ krb5-1.13.2.port-fix/src/lib/krb5/os/locate_kdc.c 2015-08-28 18:30:51.201317543 -0500 +@@ -270,6 +270,9 @@ + if (port) { + unsigned long l; + char *endptr; ++ ++ cp = port + strcspn(port, " \t#"); ++ *cp = '\0'; + l = strtoul (port, &endptr, 10); + if (endptr == NULL || *endptr != 0) + return EINVAL; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/055-register_gsscred.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/055-register_gsscred.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,23 @@ +# +# Automatically load localauth_gsscred plugin. +# +# To preserve long standing Solaris Kerberos behavior with respect to +# gsscred we always load the localauth_gsscred plugin delivered from ON gate. +# +# This is a Solaris specific patch, it is not meant for upstream contribution. +# Patch source: in-house +# +diff -pur old/src/lib/krb5/os/localauth.c new/src/lib/krb5/os/localauth.c +--- old/src/lib/krb5/os/localauth.c ++++ new/src/lib/krb5/os/localauth.c +@@ -133,6 +133,10 @@ get_modules(krb5_context context, krb5_p + if (ret) + return ret; + ++ ret = k5_plugin_register_dyn(context, intf, "gsscred", "localauth"); ++ if (ret) ++ return ret; ++ + ret = k5_plugin_load_all(context, intf, modules_out); + if (ret) + return ret; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/057-des-md5-fix.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/057-des-md5-fix.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,30 @@ +# +# Patch to make des-cbc-md5 equivalent to des-cbc-crc when the KDC is deciding +# to issue a des session key for a service princ. This maintains existing +# Solaris behavior that MIT does not intend on adopting given that single des +# is on the way out. +# Patch source: in-house +# + +diff -r -u krb5-1.13.2/src/kdc/kdc_util.c krb5-1.13.2.des-md5-fix/src/kdc/kdc_util.c +--- krb5-1.13.2/src/kdc/kdc_util.c ++++ krb5-1.13.2.des-md5-fix/src/kdc/kdc_util.c +@@ -912,16 +912,11 @@ + free(etypes); + + /* If configured to, assume every server without a session_enctypes +- * attribute supports DES_CBC_CRC. */ ++ * attribute supports DES_CBC_CRC or DES_CBC_MD5. */ + if (kdc_active_realm->realm_assume_des_crc_sess && +- enctype == ENCTYPE_DES_CBC_CRC) ++ (enctype == ENCTYPE_DES_CBC_CRC || enctype == ENCTYPE_DES_CBC_MD5)) + return TRUE; + +- /* Due to an ancient interop problem, assume nothing supports des-cbc-md5 +- * unless there's a session_enctypes explicitly saying that it does. */ +- if (enctype == ENCTYPE_DES_CBC_MD5) +- return FALSE; +- + /* Assume the server supports any enctype it has a long-term key for. */ + return !krb5_dbe_find_enctype(kdc_context, server, enctype, -1, 0, &datap); + } diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/058-man-pages.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/058-man-pages.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,260 @@ +# +# This patch updates a number of man pages to reflect Solaris specific features +# in Kerberos. +# +# Note: It is not intended that these changes are to be contributed to MIT given +# that the associated updates are for Solaris only features. +# Patch source: in-house +# +diff -pur old/src/man/kadm5.acl.man new/src/man/kadm5.acl.man +--- old/src/man/kadm5.acl.man 2015-06-02 23:50:06.299043998 -0600 ++++ new/src/man/kadm5.acl.man 2015-06-03 00:21:02.470157817 -0600 +@@ -131,6 +131,12 @@ T} T{ + T} + _ + T{ ++u ++T} T{ ++[Dis]allows the creation of one-component user principals whose password can be validated with PAM ++T} ++_ ++T{ + x + T} T{ + Short for admcilsp. All privileges +diff -pur old/src/man/kadmind.man new/src/man/kadmind.man +--- old/src/man/kadmind.man 2015-06-02 23:50:06.300700577 -0600 ++++ new/src/man/kadmind.man 2015-06-03 00:14:42.953821215 -0600 +@@ -141,4 +141,16 @@ MIT + .SH COPYRIGHT + 1985-2015, MIT + .\" Generated by docutils manpage writer. ++.SH NOTES ++.sp ++The \fBkadmind\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier: ++.sp ++.in +2 ++.nf ++svc:/network/security/kadmin:default ++.fi ++.in -2 ++.sp ++Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command. ++.sp + . +diff -pur old/src/man/kdc.conf.man new/src/man/kdc.conf.man +--- old/src/man/kdc.conf.man 2015-06-02 23:50:06.299728571 -0600 ++++ new/src/man/kdc.conf.man 2015-07-10 02:34:59.845899733 -0600 +@@ -96,6 +96,8 @@ subsection does not contain a relation f + .IP \(bu 2 + \fBhost_based_services\fP + .IP \(bu 2 ++\fBkdc_max_tcp_connections\fP ++.IP \(bu 2 + \fBkdc_ports\fP + .IP \(bu 2 + \fBkdc_tcp_ports\fP +@@ -300,6 +302,11 @@ is 749, which is used by default. + (String.) Specifies the location where the master key has been + stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. + .TP ++.B \fBkdc_max_tcp_connections\fP ++This relation controls the maximum number of TCP connections the ++KDC allows. The minimum value is 10. If this relation is not specified, the ++Kerberos server allows a maximum of 30 TCP connections. ++.TP + .B \fBkdc_ports\fP + (Whitespace\- or comma\-separated list.) Lists the ports on which + the Kerberos server should listen for UDP requests, as a +@@ -600,11 +607,64 @@ If no severity is specified, the default + facility is specified, the default is \fBAUTH\fP\&. + .UNINDENT + .sp ++The following relation can be defined to specify how to rotate \fBkadmin\fP ++and \fBkdc\fP log files if the \fBFILE:\fP value is being used to log: ++.sp ++.TP ++.B \fBadmin_server_rotate\fP ++.TP ++.B \fBkdc_rotate\fP ++A relation subsection that enables \fBkadmin\fP (\fBadmin_server_rotate\fP) ++and/or \fBkdc\fP (\fBkdc_rotate\fP) logging to be rotated to multiple files ++based on a time interval. This can be used to avoid logging to one ++file, which might grow too large and bring the \fBKDC\fP to a halt. ++.UNINDENT ++.sp ++.INDENT 0.0 ++The time interval for the rotation is specified by the \fBperiod\fP relation. ++The number of log files to be rotated is specified by the \fBversions\fP ++relation. Both the \fBperiod\fP and \fBversions\fP (described below) should be ++included in this subsection. And, this subsection applies only if the ++\fBkdc\fP relation has a \fBFILE:\fP value. ++.sp ++The following relations can be specified for the \fBkdc_rotate\fP relation ++subsection: ++.sp ++.TP ++.B \fBperiod\fP=\fIdelta_time\fP ++Specifies the time interval before a new log file is created. See ++the \fBTimeFormats\fP section in \fBkinit\fP(1) for the valid time duration ++formats you can specify for \fIdelta_time\fP. If \fBperiod\fP is not specified ++or set to never, no rotation occurs. ++.UNINDENT ++.sp ++.INDENT 0.0 ++Specifying a time interval does not mean that the log files are rotated ++at the time interval based on real time. This is because the time ++interval is checked at each attempt to write a record to the log, or ++when logging is actually occurring. Therefore, rotation occurs only ++when logging has actually occurred for the specified time interval. ++.sp ++.TP ++.B \fBversions\fP=\fInumber\fP ++Specifies how many previous versions are saved before the rotation ++begins. A number is appended to the log file, starting with 0 and ++ending with (\fInumber\fP - 1). For example, if \fBversions\fP is set to 2, up ++to three logging files are created (\fIfilename\fP, \fIfilename\fP.0, and ++\fIfilename\fP.1) before the first one is overwritten to begin the rotation. ++.UNINDENT ++.sp ++.INDENT 0.0 ++Notice that if \fBversions\fP is not specified or set to \fB0\fP, only one log ++file is created, but it is overwritten whenever the time interval is met. ++.sp + In the following example, the logging messages from the KDC will go to + the console and to the system log under the facility LOG_DAEMON with + default severity of LOG_INFO; and the logging messages from the + administrative server will be appended to the file + \fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP\&. ++\fB/var/adm/kadmin.log\fP is rotated between twenty-one log files with a ++specified time interval of a day. + .INDENT 0.0 + .INDENT 3.5 + .sp +@@ -615,6 +675,10 @@ administrative server will be appended t + kdc = SYSLOG:INFO:DAEMON + admin_server = FILE:/var/adm/kadmin.log + admin_server = DEVICE=/dev/tty04 ++ admin_server_rotate = { ++ period = 1d ++ versions = 20 ++ } + .ft P + .fi + .UNINDENT +diff -pur old/src/man/kpropd.man new/src/man/kpropd.man +--- old/src/man/kpropd.man 2015-06-02 23:50:06.300408196 -0600 ++++ new/src/man/kpropd.man 2015-06-03 00:14:37.624396664 -0600 +@@ -151,4 +151,16 @@ MIT + .SH COPYRIGHT + 1985-2015, MIT + .\" Generated by docutils manpage writer. ++.SH NOTES ++.sp ++The \fBkprop\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier: ++.sp ++.in +2 ++.nf ++svc:/network/security/krb5_prop:default ++.fi ++.in -2 ++.sp ++Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command. ++.sp + . +diff -pur old/src/man/krb5.conf.man new/src/man/krb5.conf.man +--- old/src/man/krb5.conf.man 2015-06-02 23:50:06.301088663 -0600 ++++ new/src/man/krb5.conf.man 2015-07-10 01:32:03.489438178 -0600 +@@ -199,6 +199,10 @@ set if backward compatibility requires a + See the \fBkdc_req_checksum_type\fP configuration option for the + possible values and their meanings. + .TP ++.B \fBauth_to_local_realm\fP ++For use in the default realm, non-default realms can be equated ++with the default realm for authenticated name-to-local name mapping. ++.TP + .B \fBcanonicalize\fP + If this flag is set to true, initial ticket requests to the KDC + will request canonicalization of the client principal name, and +@@ -499,7 +503,7 @@ attempt fails. + .B \fBverify_ap_req_nofail\fP + If this flag is true, then an attempt to verify initial + credentials will fail if the client machine does not have a +-keytab. The default value is false. ++keytab. The default value is true. + .UNINDENT + .SS [realms] + .sp +@@ -823,6 +827,52 @@ other realms should have \fBoption2\fP s + The list of specifiable options for each application may be found in + that application\(aqs man pages. The application defaults specified here + are overridden by those specified in the \fI\%realms\fP section. ++.sp ++The following relations can be found in the \fB[appdefaults]\fP section, ++though not all relations are recognized by all kerberized applications. ++Some are specific to particular applications. ++.TP ++.B \fBautologin\fP = [\fBtrue\fP | \fBfalse\fP] ++Forces the application to attempt automatic login by presenting ++Kerberos credentials. This is valid for the following applications: ++\fBrlogin\fP, \fBrsh\fP, \fBrcp\fP, and \fBtelnet\fP. ++.TP ++.B \fBencrypt\fP = [\fBtrue\fP | \fBfalse\fP] ++Forces applications to use encryption by default (after authentication) to ++protect the privacy of the sessions. This is valid for the following ++applications: \fBrlogin\fP, \fBrsh\fP, \fBrcp\fP, and \fBtelnet\fP. ++.TP ++.B \fBforward\fP = [\fBtrue\fP | \fBfalse\fP] ++Forces applications to forward the user's credentials (after ++authentication) to the remote server. This is valid for the following ++applications: \fBrlogin\fP, \fBrsh\fP, \fBrcp\fP, and \fBtelnet\fP. ++.TP ++.B \fBforwardable\fP = [\fBtrue\fP | \fBfalse\fP] ++See the description in the \fB[libdefaults]\fP section above. This is ++used by any application that creates a ticket granting ticket and ++also by applications that can forward tickets to a remote server. ++.TP ++.B \fBproxiable\fP = [\fBtrue\fP | \fBfalse\fP] ++See the description in the \fB[libdefaults]\fP section above. This is ++used by any application that creates a ticket granting ticket. ++.TP ++.B \fBrenewable\fP = [\fBtrue\fP | \fBfalse\fP] ++Creates a TGT that can be renewed (prior to the ticket expiration ++time). This is used by any application that creates a ticket granting ticket. ++.TP ++.B \fBnoaddresses\fP = [\fBtrue\fP | \fBfalse\fP] ++Creates tickets with no address bindings. This is to allow tickets ++to be used across a \fBNAT\fP boundary or when using multi-homed systems. ++This option is valid in the \fBkinit [appdefault]\fP section only. ++.TP ++.B \fBrcmd_protocol\fP = [ \fBrcmdv1\fP | \fBrcmdv2\fP ] ++Specifies which Kerberized "\fBrcmd\fP" protocol to use when using the ++Kerberized \fBrlogin\fP(1), \fBrsh\fP(1), or \fBrcp\fP(1) programs. The default ++is to use \fBrcmdv2\fP by default, as this is the more secure and more recent ++update of the protocol. However, when talking to older \fBMIT\fP or \fBSEAM\fP- ++based "\fBrcmd\fP" servers, it can be necessary to force the new clients ++to use the older \fBrcmdv1\fP protocol. This option is valid only for the ++following applications: \fBrlogin\fP, \fBrcp\fP, and \fBrsh\fP. + .SS [plugins] + .INDENT 0.0 + .INDENT 3.5 +diff -pur old/src/man/krb5kdc.man new/src/man/krb5kdc.man +--- old/src/man/krb5kdc.man 2015-06-02 23:50:06.300178018 -0600 ++++ new/src/man/krb5kdc.man 2015-06-03 00:17:46.568377702 -0600 +@@ -152,4 +152,16 @@ MIT + .SH COPYRIGHT + 1985-2015, MIT + .\" Generated by docutils manpage writer. ++.SH NOTES ++.sp ++The \fBkrb5kdc\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier: ++.sp ++.in +2 ++.nf ++svc:/network/security/krb5kdc:default ++.fi ++.in -2 ++.sp ++Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command. ++.sp + . diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/059-man-pages-fix-paths.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/059-man-pages-fix-paths.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,179 @@ +# +# This patch modifies the path for the KDC specific files which are stored by +# default on Solaris /var/krb5. +# +# Note: It is not intended that these changes are to be contributed to MIT as +# MIT will be modifying the way the KDC path is handled here in a future +# update. +# Patch source: in-house +# +diff -ur krb5-1.13.2/src/man/kadm5.acl.man krb5-1.13.2-man-update/src/man/kadm5.acl.man +--- krb5-1.13.2/src/man/kadm5.acl.man ++++ krb5-1.13.2-man-update/src/man/kadm5.acl.man +@@ -38,7 +38,7 @@ + which principals can operate on which other principals. + .sp + The default location of the Kerberos ACL file is +-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP ++\fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP + variable in \fIkdc.conf(5)\fP\&. + .SH SYNTAX + .sp +diff -ur krb5-1.13.2/src/man/kadmind.man krb5-1.13.2-man-update/src/man/kadmind.man +--- krb5-1.13.2/src/man/kadmind.man ++++ krb5-1.13.2-man-update/src/man/kadmind.man +@@ -67,7 +67,7 @@ + kadmind\(aqs ACL (access control list) tells it which principals are + allowed to perform administration actions. The pathname to the + ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP +-variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. ++variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/kadm5.acl\fP\&. + .UNINDENT + .sp + After the server begins running, it puts itself in the background and +diff -ur krb5-1.13.2/src/man/kdb5_ldap_util.man krb5-1.13.2-man-update/src/man/kdb5_ldap_util.man +--- krb5-1.13.2/src/man/kdb5_ldap_util.man ++++ krb5-1.13.2-man-update/src/man/kdb5_ldap_util.man +@@ -325,7 +325,7 @@ + .TP + .B \fB\-f\fP \fIfilename\fP + Specifies the complete path of the service password file. By +-default, \fB/usr/local/var/service_passwd\fP is used. ++default, \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/service_passwd\fP is used. + .TP + .B \fIname\fP + Specifies the name of the object whose password is to be stored. +diff -ur krb5-1.13.2/src/man/kdc.conf.man krb5-1.13.2-man-update/src/man/kdc.conf.man +--- krb5-1.13.2/src/man/kdc.conf.man ++++ krb5-1.13.2-man-update/src/man/kdc.conf.man +@@ -39,7 +39,7 @@ + single configuration profile. + .sp + Normally, the kdc.conf file is found in the KDC state directory, +-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\&. You can override the default location by setting the ++\fB@LOCALSTATEDIR@\fP\fB/krb5\fP\&. You can override the default location by setting the + environment variable \fBKRB5_KDC_PROFILE\fP\&. + .sp + Please note that you need to restart the KDC daemon for any configuration +@@ -139,7 +139,7 @@ + (String.) Location of the access control list file that + \fIkadmind(8)\fP uses to determine which principals are allowed + which permissions on the Kerberos database. The default value is +-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. For more information on Kerberos ACL ++\fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/kadm5.acl\fP\&. For more information on Kerberos ACL + file see \fIkadm5.acl(5)\fP\&. + .TP + .B \fBdatabase_module\fP +@@ -153,7 +153,7 @@ + (String, deprecated.) This relation specifies the location of the + Kerberos database for this realm, if the DB2 module is being used + and the \fI\%[dbmodules]\fP configuration section does not specify a +-database name. The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&. ++database name. The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/principal\fP\&. + .TP + .B \fBdefault_principal_expiration\fP + (\fIabstime\fP string.) Specifies the default expiration date of +@@ -300,7 +300,7 @@ + .TP + .B \fBkey_stash_file\fP + (String.) Specifies the location where the master key has been +-stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. ++stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. + .TP + .B \fBkdc_max_tcp_connections\fP + This relation controls the maximum number of TCP connections the +@@ -454,7 +454,7 @@ + .TP + .B \fBdatabase_name\fP + This DB2\-specific tag indicates the location of the database in +-the filesystem. The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&. ++the filesystem. The default is \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/principal\fP\&. + .TP + .B \fBdb_library\fP + This tag indicates the name of the loadable database module. The +@@ -662,8 +662,8 @@ + the console and to the system log under the facility LOG_DAEMON with + default severity of LOG_INFO; and the logging messages from the + administrative server will be appended to the file +-\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP\&. +-\fB/var/adm/kadmin.log\fP is rotated between twenty-one log files with a ++\fB/var/krb5/kadmin.log\fP and sent to the device \fB/dev/tty04\fP\&. ++\fB/var/krb5/kadmin.log\fP is rotated between twenty-one log files with a + specified time interval of a day. + .INDENT 0.0 + .INDENT 3.5 +@@ -673,7 +673,7 @@ + [logging] + kdc = CONSOLE + kdc = SYSLOG:INFO:DAEMON +- admin_server = FILE:/var/adm/kadmin.log ++ admin_server = FILE:/var/krb5/kadmin.log + admin_server = DEVICE=/dev/tty04 + admin_server_rotate = { + period = 1d +@@ -696,10 +696,10 @@ + This is the server to send the RADIUS request to. It can be a + hostname with optional port, an ip address with optional port, or + a Unix domain socket address. The default is +-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.socket\fP\&. ++\fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/.socket\fP\&. + .TP + .B \fBsecret\fP +-This tag indicates a filename (which may be relative to \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP) ++This tag indicates a filename (which may be relative to \fB@LOCALSTATEDIR@\fP\fB/krb5\fP) + containing the secret used to encrypt the RADIUS packets. The + secret should appear in the first line of the file by itself; + leading and trailing whitespace on the line will be removed. If +@@ -1109,8 +1109,8 @@ + } + + [logging] +- kdc = FILE:/usr/local/var/krb5kdc/kdc.log +- admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log ++ kdc = FILE:/var/krb5/kdc.log ++ admin_server = FILE:/var/krb5/kadmin.log + + [dbdefaults] + ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu +@@ -1135,7 +1135,7 @@ + .UNINDENT + .SH FILES + .sp +-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP ++\fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/kdc.conf\fP + .SH SEE ALSO + .sp + \fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP, \fIkadm5.acl(5)\fP +diff -ur krb5-1.13.2/src/man/kprop.man krb5-1.13.2-man-update/src/man/kprop.man +--- krb5-1.13.2/src/man/kprop.man ++++ krb5-1.13.2-man-update/src/man/kprop.man +@@ -54,7 +54,7 @@ + .B \fB\-f\fP \fIfile\fP + Specifies the filename where the dumped principal database file is + to be found; by default the dumped database file is normally +-\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP\&. ++\fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/slave_datatrans\fP\&. + .TP + .B \fB\-P\fP \fIport\fP + Specifies the port to use to contact the \fIkpropd(8)\fP server +diff -ur krb5-1.13.2/src/man/kpropd.man krb5-1.13.2-man-update/src/man/kpropd.man +--- krb5-1.13.2/src/man/kpropd.man ++++ krb5-1.13.2-man-update/src/man/kpropd.man +@@ -105,7 +105,7 @@ + .TP + .B \fB\-f\fP \fIfile\fP + Specifies the filename where the dumped principal database file is +-to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP\&. ++to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/from_master\fP\&. + .TP + .B \fB\-p\fP + Allows the user to specify the pathname to the \fIkdb5_util(8)\fP +@@ -123,7 +123,7 @@ + .TP + .B \fB\-a\fP \fIacl_file\fP + Allows the user to specify the path to the kpropd.acl file; by +-default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP\&. ++default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/kpropd.acl\fP\&. + .UNINDENT + .SH ENVIRONMENT + .sp diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/060-header-files-cleanup.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/060-header-files-cleanup.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,41 @@ +# +# This patch addresses two issues: +# +# 1. gssapi.hin modification will address redefinition errors when compiling +# ON gate using userland kerberos package. +# +# 2. admin.h modification was requested by AK team to avoid extern declaration +# of kadm5_get_master(). +# +# NOTE: These two modifications are solaris specific changes and will not be +# pushed upstream. We will maintain them as patch. +# Patch source: in-house +# +diff -Naru old/src/lib/gssapi/generic/gssapi.hin new/src/lib/gssapi/generic/gssapi.hin +--- old/src/lib/gssapi/generic/gssapi.hin 2015-10-15 16:48:36.022390540 -0700 ++++ new/src/lib/gssapi/generic/gssapi.hin 2015-10-15 16:43:04.812546338 -0700 +@@ -55,11 +55,6 @@ + #include + + /* +- * First, include stddef.h to get size_t defined. +- */ +-#include +- +-/* + * POSIX says that sys/types.h is where size_t is defined. + */ + #include +diff -Naru old/src/lib/kadm5/admin.h new/src/lib/kadm5/admin.h +--- old/src/lib/kadm5/admin.h 2015-10-15 16:48:35.974641703 -0700 ++++ new/src/lib/kadm5/admin.h 2015-10-16 11:24:09.072080201 -0700 +@@ -547,6 +547,9 @@ + krb5_string_attr *strings, + int count); + ++kadm5_ret_t kadm5_get_master(krb5_context context, const char *realm, ++ char **master); ++ + KADM5INT_END_DECLS + + #endif /* __KADM5_ADMIN_H__ */ diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/061-ccache-nounlink.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/061-ccache-nounlink.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,269 @@ +# +# This patch modifies the MIT implementation of krb5_fcc_initialize() so +# it doesn't call unlink() on an existing ccache file. This modification +# was done a long time ago in Solaris to workaround a race condition +# brought on by the interaction between Solaris pam_krb5 and MIT's +# implementation of krb5_fcc_initialize(). Given there are better ways of +# fixing the race condition we will not give this patch to MIT however a +# proper race condition fix would take prohibitively long to implement +# hence this patch. When pam_krb5 is modified to better deal with the +# ccache file and RFE 22229031 regarding ktkt_warnd is implemented then +# this patch can be removed. +# Patch source: in-house +# + +diff -Naru old/src/lib/krb5/ccache/cc_file.c new/src/lib/krb5/ccache/cc_file.c +--- old/src/lib/krb5/ccache/cc_file.c 2015-05-08 16:27:02.000000000 -0700 ++++ new/src/lib/krb5/ccache/cc_file.c 2015-11-16 15:54:02.138183303 -0800 +@@ -64,6 +64,10 @@ + #include "k5-int.h" + #include "cc-int.h" + ++/* Solaris Kerberos */ ++#include ++#include ++ + #include + #include + +@@ -71,6 +75,11 @@ + #include + #endif + ++/* Solaris Kerberos */ ++/* How long to block if flock fails with EAGAIN */ ++#define LOCK_RETRIES 100 ++#define WAIT_LENGTH 20 /* in milliseconds */ ++ + extern const krb5_cc_ops krb5_cc_file_ops; + + krb5_error_code krb5_change_cache(void); +@@ -85,6 +94,7 @@ + #define FCC_OPEN_AND_ERASE 1 + #define FCC_OPEN_RDWR 2 + #define FCC_OPEN_RDONLY 3 ++#define FCC_OPEN_AND_ERASE_NOUNLINK 255 /* Solaris Kerberos */ + + #define FCC_TAG_DELTATIME 1 + +@@ -524,6 +534,130 @@ + ((SIZE) < BUFSIZE ? (abort(),0) : setbuf(FILE, BUF)) + #endif + ++/* Solaris Kerberos */ ++static krb5_error_code ++krb5_fcc_open_nounlink(char *filename, int open_flag, int *ret_fd, int *new) ++{ ++ struct stat lres; ++ struct stat fres; ++ int error; ++ uid_t uid, euid; ++ int fd; ++ int newfile = 0; ++ ++ *ret_fd = -1; ++ /* ++ * Solaris Kerberos ++ * If we are opening in NOUNLINK mode, we have to check that the ++ * existing file, if any, is not a symlink. If it is, we try to ++ * delete and re-create it. ++ */ ++ error = lstat(filename, &lres); ++ if (error == -1 && errno != ENOENT) { ++ syslog(LOG_ERR, "lstat failed for %s [%m]", filename); ++ return (-1); ++ } ++ ++ if (error == 0 && !S_ISREG(lres.st_mode)) { ++ syslog(LOG_WARNING, "%s is not a plain file!", filename); ++ syslog(LOG_WARNING, "trying to unlink %s", filename); ++ if (unlink(filename) != 0) { ++ syslog(LOG_ERR, "could not unlink %s [%m]", filename); ++ return (-1); ++ } ++ } ++ ++ fd = THREEPARAMOPEN(filename, open_flag | O_NONBLOCK | O_NOFOLLOW, 0600); ++ if (fd == -1) { ++ if (errno == ENOENT) { ++ fd = THREEPARAMOPEN(filename, open_flag | O_EXCL | O_CREAT, ++ 0600); ++ if (fd != -1) { ++ newfile = 1; ++ } else { ++ /* If the file got created after the open we must retry */ ++ if (errno == EEXIST) ++ return (0); ++ } ++ } else if (errno == EACCES) { ++ /* ++ * We failed since the file existed with wrong permissions. ++ * Let's try to unlink it and if that succeeds retry. ++ */ ++ syslog(LOG_WARNING, "Insufficient permissions on %s", filename); ++ syslog(LOG_WARNING, "trying to unlink %s", filename); ++ if (unlink(filename) != 0) { ++ syslog(LOG_ERR, "could not unlink %s [%m]", filename); ++ return (-1); ++ } ++ return (0); ++ } ++ } ++ /* If we still don't have a valid fd, we stop trying */ ++ if (fd == -1) ++ return (-1); ++ ++ /* ++ * Solaris Kerberos ++ * If the file was not created now with a O_CREAT | O_EXCL open, ++ * we have opened an existing file. We should check if the file ++ * owner is us, if not, unlink and retry. If unlink fails we log ++ * the error and return. ++ */ ++ if (!newfile) { ++ if (fstat(fd, &fres) == -1) { ++ syslog(LOG_ERR, "lstat failed for %s [%m]", filename); ++ close(fd); ++ return (-1); ++ } ++ /* Check if this is the same file we lstat'd earlier */ ++ if (lres.st_dev != fres.st_dev || lres.st_ino != fres.st_ino) { ++ syslog(LOG_ERR, "%s changed between stat and open!", filename); ++ close(fd); ++ return (-1); ++ } ++ ++ /* ++ * Solaris Kerberos ++ * Check if the cc filename uid matches owner of file. ++ * Expects cc file to be in the form of /tmp/krb5cc_, ++ * else skip this check. ++ */ ++ if (strncmp(filename, "/tmp/krb5cc_", strlen("/tmp/krb5cc_")) == 0) { ++ uid_t fname_uid; ++ char *uidstr = strchr(filename, '_'); ++ char *s = NULL; ++ ++ /* make sure we have some non-null char after '_' */ ++ if (!*++uidstr) ++ goto out; ++ ++ /* make sure the uid part is all digits */ ++ for (s = uidstr; *s; s++) ++ if (!isdigit(*s)) ++ goto out; ++ ++ fname_uid = (uid_t) atoi(uidstr); ++ if (fname_uid != fres.st_uid) { ++ close(fd); ++ syslog(LOG_WARNING, "%s owned by %d instead of %d", ++ filename, fres.st_uid, fname_uid); ++ syslog(LOG_WARNING, "trying to unlink %s", filename); ++ if (unlink(filename) != 0) { ++ syslog(LOG_ERR, "could not unlink %s [%m]", filename); ++ return (-1); ++ } ++ return (0); ++ } ++ } ++ } ++ ++out: ++ *new = newfile; ++ *ret_fd = fd; ++ return (0); ++} ++ + /* Open and lock the cache file. If mode is FCC_OPEN_AND_ERASE, initialize it + * with a header. Call with the mutex locked. */ + static krb5_error_code +@@ -538,6 +672,10 @@ + int f, open_flag, lock_flag, cnt; + char buf[1024]; + ++ /* Solaris Kerberos */ ++ int retries = 0; ++ int newfile = 0; ++ + k5_cc_mutex_assert_locked(context, &data->lock); + invalidate_cache(data); + +@@ -549,6 +687,10 @@ + } + + switch (mode) { ++ /* Solaris Kerberos */ ++ case FCC_OPEN_AND_ERASE_NOUNLINK: ++ open_flag = O_RDWR; ++ break; + case FCC_OPEN_AND_ERASE: + unlink(data->filename); + open_flag = O_CREAT | O_EXCL | O_TRUNC | O_RDWR; +@@ -562,7 +704,21 @@ + break; + } + ++fcc_retry: ++ /* ++ * Solaris Kerberos ++ * If we are opening in NOUNLINK mode, check whether we are opening a ++ * symlink or a file owned by some other user and take preventive action. ++ */ ++ newfile = 0; ++ if (mode == FCC_OPEN_AND_ERASE_NOUNLINK) { ++ ret = krb5_fcc_open_nounlink(data->filename, open_flag, ++ &f, &newfile); ++ if (ret == 0 && f == -1) ++ goto fcc_retry; ++ } else { + f = THREEPARAMOPEN(data->filename, open_flag | O_BINARY, 0600); ++ } + if (f == NO_FILE) { + if (errno == ENOENT) { + ret = KRB5_FCC_NOFILE; +@@ -584,10 +740,26 @@ + ret = krb5_lock_file(context, f, lock_flag); + if (ret) { + (void)close(f); ++ if (ret == EAGAIN && retries++ < LOCK_RETRIES) { ++ /* Solaris Kerberos wait some time before retrying */ ++ if (poll(NULL, 0, WAIT_LENGTH) == 0) ++ goto fcc_retry; ++ } ++ syslog(LOG_ERR, "Failed to lock %s [%m]", data->filename); + return ret; + } + +- if (mode == FCC_OPEN_AND_ERASE) { ++ if (mode == FCC_OPEN_AND_ERASE || mode == FCC_OPEN_AND_ERASE_NOUNLINK) { ++ /* ++ * Solaris Kerberos ++ * If this file was not created, we have to flush existing data. ++ * This will happen only if we are doing an ERASE_NOUNLINK open. ++ */ ++ if (newfile == 0 && (ftruncate(f, 0) == -1)) { ++ syslog(LOG_ERR, "ftruncate failed for %s [%m]", data->filename); ++ close(f); ++ return (interpret_errno(context, errno)); ++ } + /* write the version number */ + store_16_be(context->fcc_default_format, fcc_fvno); + data->version = context->fcc_default_format; +@@ -755,14 +927,16 @@ + + k5_cc_mutex_lock(context, &data->lock); + +- MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE); ++ MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE_NOUNLINK); + ++#if 0 + #if defined(HAVE_FCHMOD) || defined(HAVE_CHMOD) + #ifdef HAVE_FCHMOD + st = fchmod(data->fd, S_IRUSR | S_IWUSR); + #else + st = chmod(data->filename, S_IRUSR | S_IWUSR); + #endif ++#endif + if (st == -1) { + ret = interpret_errno(context, errno); + MAYBE_CLOSE(context, id, ret); diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/062-ldap-fixes.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/062-ldap-fixes.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,123 @@ +# +# Fix up some issues with the KDB LDAP backend. One involves providing a +# default for the service password and is associated with this ticket: Ticket +# #8295 kdb5_ldap_stash_service_password() stash file logic needs tweaking +# +# Another issue deals with potential memory leaks: +# Ticket #8331 potential memleak of pol_entry->name in populate_policy() +# +# I've also alerted MIT to the fact that the ldap_handle.c code can leak LDAP +# handles. They've said I don't need to open a ticket on this since it isn't +# user visible: +# +# On 12/23/2015 02:43 PM, Will Fiveash wrote: +# > On Fri, Dec 18, 2015 at 07:47:49PM -0500, Greg Hudson wrote: +# >> On 12/18/2015 07:27 PM, Will Fiveash wrote: +# >>> Shouldn't the code unbind the ldap_handle? +# >> +# >> Probably. In practice the KDC process is going to exit anyway, so it's +# >> not a leak with any consequences. +# >> +# >> That whole area of code is a bit of a mess; it maintains a pool of LDAP +# >> handles but we only ever use the first one. (Or that was my reading the +# >> last time I looked at it.) +# > +# > Should I open a ticket on this? +# +# I think we don't need a ticket for this, since it isn't really a +# user-visible bug. +# Patch source: in-house +diff -ur krb5-1.13.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +--- krb5-1.13.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -125,7 +125,8 @@ + } + + profile_get_string (util_context->profile, KDB_MODULE_SECTION, section, +- "ldap_service_password_file", NULL, &file_name); ++ "ldap_service_password_file", ++ DEF_SERVICE_PASSWD_FILE, &file_name); + } + done: + +diff -ur krb5-1.13.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h +--- krb5-1.13.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h ++++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h +@@ -32,8 +32,6 @@ + #define MAX_LEN 1024 + #define MAX_SERVICE_PASSWD_LEN 256 + +-#define DEF_SERVICE_PASSWD_FILE KDC_DIR "/service_passwd" +- + extern int tohex(krb5_data, krb5_data *); + + extern void kdb5_ldap_stash_service_password(int argc, char **argv); +diff -ur krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c +--- krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c ++++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c +@@ -176,6 +176,7 @@ + ldap_server_handle = ldap_server_info->ldap_server_handles; + ldap_server_info->ldap_server_handles = ldap_server_handle->next; + /* ldap_unbind_s(ldap_server_handle); */ ++ ldap_unbind_s(ldap_server_handle->ldap_handle); + free (ldap_server_handle); + ldap_server_handle = NULL; + } +diff -ur krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +--- krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ++++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +@@ -360,6 +360,17 @@ + &ldap_context->service_password_file); + if (ret) + return ret; ++ ++ if (ldap_context->service_password_file == NULL) { ++ ret = profile_get_string (context->profile, KDB_MODULE_DEF_SECTION, ++ KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE, ++ NULL, ++ DEF_SERVICE_PASSWD_FILE, ++ &ldap_context->service_password_file); ++ ++ if (ret) ++ return ret; ++ } + } + + if (ldap_context->sasl_mech == NULL) { +diff -ur krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h +--- krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h ++++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h +@@ -36,6 +36,8 @@ + #ifndef _HAVE_LDAP_MISC_H + #define _HAVE_LDAP_MISC_H 1 + ++#define DEF_SERVICE_PASSWD_FILE KDC_DIR "/service_passwd" ++ + /* misc functions */ + + krb5_boolean +diff -ur krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +--- krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c ++++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +@@ -461,7 +461,8 @@ + } + + cleanup: +- free(entry); ++ if (st && entry) ++ krb5_ldap_free_password_policy(context, entry); + free(policy); + ldap_msgfree(result); + krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); +diff -ur krb5-1.13.3/src/man/kdc.conf.man krb5-1.13.3.ldap-man-fix/src/man/kdc.conf.man +--- krb5-1.13.3/src/man/kdc.conf.man ++++ krb5-1.13.3.ldap-man-fix/src/man/kdc.conf.man +@@ -533,6 +533,8 @@ + \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the + \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names + for SASL authentication. This file must be kept secure. ++If \fBldap_service_password_file\fP is not specified the default ++of \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/service_passwd\fP is used. + .TP + .B \fBunlockiter\fP + If set to \fBtrue\fP, this DB2\-specific tag causes iteration diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/063-disable-rev-dns-lookup.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/063-disable-rev-dns-lookup.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,83 @@ +# +# This patch disables reverse DNS IP address look-ups that MIT does by default. +# Solaris krb has never done reverse look-ups so this makes MIT krb behave like +# Solaris in this regard. MIT will not take this change upstream. +# Patch source: in-house +# +diff -ur krb5-1.13.2/src/lib/krb5/os/sn2princ.c krb5-1.13.2.rev-dns-disable/src/lib/krb5/os/sn2princ.c +--- krb5-1.13.2/src/lib/krb5/os/sn2princ.c ++++ krb5-1.13.2.rev-dns-disable/src/lib/krb5/os/sn2princ.c +@@ -36,7 +36,7 @@ + #endif + + #if !defined(DEFAULT_RDNS_LOOKUP) +-#define DEFAULT_RDNS_LOOKUP 1 ++#define DEFAULT_RDNS_LOOKUP 0 + #endif + + /* +diff -ur krb5-1.13.2/src/man/krb5.conf.man krb5-1.13.2.rev-dns-disable/src/man/krb5.conf.man +--- krb5-1.13.2/src/man/krb5.conf.man ++++ krb5-1.13.2.rev-dns-disable/src/man/krb5.conf.man +@@ -463,7 +463,7 @@ + If this flag is true, reverse name lookup will be used in addition + to forward name lookup to canonicalizing hostnames for use in + service principal names. If \fBdns_canonicalize_hostname\fP is set +-to false, this flag has no effect. The default value is true. ++to false, this flag has no effect. The default value is false. + .TP + .B \fBrealm_try_domains\fP + Indicate whether a host\(aqs domain components should be used to +diff -ur krb5-1.13.2/src/tests/t_sn2princ.py krb5-1.13.2.rev-dns-disable/src/tests/t_sn2princ.py +--- krb5-1.13.2/src/tests/t_sn2princ.py ++++ krb5-1.13.2.rev-dns-disable/src/tests/t_sn2princ.py +@@ -6,10 +6,12 @@ + conf = {'domain_realm': {'kerberos.org': 'R1', + 'example.com': 'R2', + 'mit.edu': 'R3'}} ++rdns_conf = {'libdefaults': {'rdns': 'true'}} + no_rdns_conf = {'libdefaults': {'rdns': 'false'}} + no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}} + + realm = K5Realm(create_kdb=False, krb5_conf=conf) ++rdns = realm.special_env('rdns', False, krb5_conf=rdns_conf) + no_rdns = realm.special_env('no_rdns', False, krb5_conf=no_rdns_conf) + no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf) + +@@ -30,6 +32,10 @@ + # Test with the host-based name type with canonicalization disabled. + testbase(host, 'srv-hst', princhost, princrealm, env=no_canon) + ++def testr(host, princhost, princrealm): ++ # Test with the host-based name type with reverse lookup enabled. ++ testbase(host, 'srv-hst', princhost, princrealm, env=rdns) ++ + def testnr(host, princhost, princrealm): + # Test with the host-based name type with reverse lookup disabled. + testbase(host, 'srv-hst', princhost, princrealm, env=no_rdns) +@@ -89,6 +95,11 @@ + testnr(oname + ':123', fname + ':123', 'R1') + testnr(oname + ':xyZ', fname + ':xyZ', 'R1') + ++# Test forward+reverse lookup canonicalization (rdns=true). ++testr(oname, rname, 'R3') ++testr(oname + ':123', rname + ':123', 'R3') ++testr(oname + ':xyZ', rname + ':xyZ', 'R3') ++ + # Verify reverse resolution before testing for it. + try: + names = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD) +@@ -97,9 +108,9 @@ + if names[0].lower() != rname: + skip_rest('%s reverse resolves to %s, not %s' % (oname, names[0], rname)) + +-# Test default canonicalization (forward and reverse lookup). +-test(oname, rname, 'R3') +-test(oname + ':123', rname + ':123', 'R3') +-test(oname + ':xyZ', rname + ':xyZ', 'R3') ++# Test default canonicalization (forward lookup). ++test(oname, fname, 'R1') ++test(oname + ':123', fname + ':123', 'R1') ++test(oname + ':xyZ', fname + ':xyZ', 'R1') + + success('krb5_sname_to_principal tests') diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/064-enable-debug-compile.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/064-enable-debug-compile.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,25 @@ +# +# This patch fixes a minor issue where the hostrealm plugin test program will +# not compile non-optimized. There is a MIT ticket which they intend on +# fixing: Ticket #8326 hostrealm code won't compile in debug mode using Solaris +# Studio C +# Patch source: in-house +# +diff -ur krb5-1.13.2/src/plugins/hostrealm/test/Makefile.in krb5-1.13.2.debug-build/src/plugins/hostrealm/test/Makefile.in +--- krb5-1.13.2/src/plugins/hostrealm/test/Makefile.in ++++ krb5-1.13.2.debug-build/src/plugins/hostrealm/test/Makefile.in +@@ -5,9 +5,10 @@ + LIBMAJOR=0 + LIBMINOR=0 + RELDIR=../plugins/hostrealm/test +-# Depends on libkrb5 +-SHLIB_EXPDEPS= $(KRB5_DEPLIB) +-SHLIB_EXPLIBS= $(KRB5_LIB) ++# Depends on libkrb5 and libkrb5support when building non-optimized with ++# certain compilers. ++SHLIB_EXPDEPS= $(KRB5_DEPLIB) $(SUPPORT_DEPLIB) ++SHLIB_EXPLIBS= $(KRB5_LIB) $(SUPPORT_LIB) + + STLIBOBJS=main.o + + diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/065-no_MD5_in_rcache.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/065-no_MD5_in_rcache.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,59 @@ +# +# Replace MD5 use in rcache with SHA1. +# +# rcache uses an unkeyed MD5 hash of the authenticator to distinguish +# between different request with equal client principal, server principal +# and microsecond time. When OpenSSL crypto provider is used and +# underlying OpenSSL is run in FIPS mode, MD5 algorithm is disabled and +# gss_accept_sec_context() results in an abort in rcache processing +# +# This patch effectively implements a different rcache extension. +# The new extension identifier is 'SHA1:' (instead of 'HASH:') +# and the checksum type is CKSUMTYPE_NIST_SHA (instead of CKSUMTYPE_RSA_MD5). +# +# This change has been brought for discussion with upstream: +# http://mailman.mit.edu/pipermail/krbdev/2015-December/012508.html +# Patch source: in-house +# +diff -pur old/src/lib/krb5/rcache/rc_conv.c new/src/lib/krb5/rcache/rc_conv.c +--- old/src/lib/krb5/rcache/rc_conv.c ++++ new/src/lib/krb5/rcache/rc_conv.c +@@ -55,7 +55,7 @@ krb5_rc_hash_message(krb5_context contex + *out = NULL; + + /* Calculate the binary checksum. */ +- retval = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0, ++ retval = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, 0, 0, + message, &cksum); + if (retval) + return retval; +diff -pur old/src/lib/krb5/rcache/rc_dfl.c new/src/lib/krb5/rcache/rc_dfl.c +--- old/src/lib/krb5/rcache/rc_dfl.c ++++ new/src/lib/krb5/rcache/rc_dfl.c +@@ -391,7 +391,7 @@ parse_counted_string(char **strptr, char + /* + * Hash extension records have the format: + * client = +- * server = HASH: : : ++ * server = SHA1: : : + * Spaces in the client and server string are represented with + * with backslashes. Client and server lengths are represented in + * ASCII decimal (which is different from the 32-bit binary we use +@@ -408,7 +408,7 @@ check_hash_extension(krb5_donot_replay * + /* Check if this appears to match the hash extension format. */ + if (*rep->client) + return 0; +- if (strncmp(rep->server, "HASH:", 5) != 0) ++ if (strncmp(rep->server, "SHA1:", 5) != 0) + return 0; + + /* Parse out the message hash. */ +@@ -664,7 +664,7 @@ krb5_rc_io_store(krb5_context context, s + + /* Format the extension value so we know its length. */ + k5_buf_init_dynamic(&extbuf); +- k5_buf_add_fmt(&extbuf, "HASH:%s %lu:%s %lu:%s", rep->msghash, ++ k5_buf_add_fmt(&extbuf, "SHA1:%s %lu:%s %lu:%s", rep->msghash, + (unsigned long)clientlen, rep->client, + (unsigned long)serverlen, rep->server); + if (k5_buf_status(&extbuf) != 0) diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/066-sanitize_context_ptr.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/066-sanitize_context_ptr.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,34 @@ +# Sanitize context pointer in gss_export_sec_context +# +# After 4f35b27 context pointer in gss_export_sec_context() is first +# dereferenced before arguments are sanitized in val_exp_sec_ctx_args(). +# With context == NULL the new code segfaults instead of failing +# gracefully. +# +# Revert this part of 4f35b27 and only dereference context if not NULL. +# +# Patch submitted upstream: +# https://github.com/krb5/krb5/pull/382 +# Patch source: in-house +# + +diff -pur old/src/lib/gssapi/mechglue/g_exp_sec_context.c new/src/lib/gssapi/mechglue/g_exp_sec_context.c +--- old/src/lib/gssapi/mechglue/g_exp_sec_context.c ++++ new/src/lib/gssapi/mechglue/g_exp_sec_context.c +@@ -79,7 +79,7 @@ gss_buffer_t interprocess_token; + { + OM_uint32 status; + OM_uint32 length; +- gss_union_ctx_id_t ctx = (gss_union_ctx_id_t) *context_handle; ++ gss_union_ctx_id_t ctx; + gss_mechanism mech; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; + char *buf; +@@ -94,6 +94,7 @@ gss_buffer_t interprocess_token; + * call it. + */ + ++ ctx = (gss_union_ctx_id_t) *context_handle; + mech = gssint_get_mechanism (ctx->mech_type); + if (!mech) + return GSS_S_BAD_MECH; diff -r a5031bb8b66d -r 9bf0bc57423a components/krb5/patches/067-iprop-double-free-fix.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/067-iprop-double-free-fix.patch Wed Feb 24 10:43:57 2016 -0600 @@ -0,0 +1,26 @@ +# Fix a potential but unlikely to occur double free() in a couple places in ipropd_svc.c. +# This has been reported to MIT who will be fixing this via pull request +# https://github.com/krb5/krb5/pull/396 . +# Patch source: in-house + +diff -ur krb5-1.13.3/src/kadmin/server/ipropd_svc.c krb5-1.13.3.memleak/src/kadmin/server/ipropd_svc.c +--- krb5-1.13.3/src/kadmin/server/ipropd_svc.c ++++ krb5-1.13.3.memleak/src/kadmin/server/ipropd_svc.c +@@ -160,8 +160,6 @@ + client_name = buf_to_string(&client_desc); + service_name = buf_to_string(&service_desc); + if (client_name == NULL || service_name == NULL) { +- free(client_name); +- free(service_name); + krb5_klog_syslog(LOG_ERR, + _("%s: out of memory recording principal names"), + whoami); +@@ -288,8 +286,6 @@ + client_name = buf_to_string(&client_desc); + service_name = buf_to_string(&service_desc); + if (client_name == NULL || service_name == NULL) { +- free(client_name); +- free(service_name); + DPRINT("%s: out of memory\n", whoami); + krb5_klog_syslog(LOG_ERR, + _("%s: out of memory recording principal names"),