krb5 commit: Remove unnecessary directories
Greg Hudson
ghudson at mit.edu
Thu Aug 4 11:05:17 EDT 2016
https://github.com/krb5/krb5/commit/1ced29ba544dfcb15b0f04d19579a907409c82f3
commit 1ced29ba544dfcb15b0f04d19579a907409c82f3
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Aug 3 11:26:13 2016 -0400
Remove unnecessary directories
Remove the plugin modules wpse, cksum_body, and locate/python, which
aren't used by the test suite or built by default.
Remove util/collected-client-lib, as we no longer have a need to
create a smaller client-only library.
Remove util/gss-kernel-lib, as it turned out not to be useful for
facilitating kernel integrations.
src/Makefile.in | 3 -
src/configure.in | 14 -
src/plugins/locate/python/Makefile.in | 24 -
src/plugins/locate/python/deps | 9 -
src/plugins/locate/python/locate-service.py | 77 ---
src/plugins/locate/python/py-locate.c | 323 -----------
src/plugins/locate/python/python.exports | 1 -
src/plugins/preauth/cksum_body/Makefile.in | 26 -
src/plugins/preauth/cksum_body/cksum_body.exports | 2 -
src/plugins/preauth/cksum_body/cksum_body_main.c | 611 --------------------
src/plugins/preauth/cksum_body/deps | 8 -
src/plugins/preauth/wpse/Makefile.in | 26 -
src/plugins/preauth/wpse/deps | 7 -
src/plugins/preauth/wpse/wpse.exports | 2 -
src/plugins/preauth/wpse/wpse_main.c | 477 ---------------
src/util/Makefile.in | 3 +-
src/util/collected-client-lib/Makefile.in | 78 ---
src/util/collected-client-lib/deps | 1 -
src/util/collected-client-lib/libcollected.exports | 286 ---------
src/util/gss-kernel-lib/Makefile.in | 229 --------
src/util/gss-kernel-lib/README | 121 ----
src/util/gss-kernel-lib/deps | 126 ----
src/util/gss-kernel-lib/kernel_gss.c | 213 -------
src/util/gss-kernel-lib/kernel_gss.h | 36 --
src/util/gss-kernel-lib/t_kgss.c | 38 --
src/util/gss-kernel-lib/t_kgss.py | 31 -
src/util/gss-kernel-lib/t_kgss_common.c | 106 ----
src/util/gss-kernel-lib/t_kgss_common.h | 32 -
src/util/gss-kernel-lib/t_kgss_kernel.c | 292 ----------
src/util/gss-kernel-lib/t_kgss_user.c | 400 -------------
30 files changed, 1 insertions(+), 3601 deletions(-)
diff --git a/src/Makefile.in b/src/Makefile.in
index 814e5af..15b9cbb 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -20,12 +20,9 @@ SUBDIRS=util include lib \
plugins/kdb/db2 \
@ldap_plugin_dir@ \
plugins/kdb/test \
- plugins/locate/python \
- plugins/preauth/cksum_body \
plugins/preauth/otp \
plugins/preauth/pkinit \
plugins/preauth/test \
- plugins/preauth/wpse \
plugins/tls/k5tls \
kdc kadmin slave clients appl tests \
config-files build-tools man doc @po@
diff --git a/src/configure.in b/src/configure.in
index db8b929..58f89d9 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1216,16 +1216,6 @@ AC_CHECK_LIB(aceclnt, sd_init, [
AC_SUBST(sam2_plugin)
CFLAGS=$old_CFLAGS
-# This checks is for plugins/locate/python, which isn't built by
-# default, so it's not a big deal that it isn't very good. We should
-# use python-config instead.
-PYTHON_LIB=
-AC_CHECK_HEADERS(Python.h python2.3/Python.h python2.5/Python.h)
-AC_CHECK_LIB(python2.3,main,[PYTHON_LIB=-lpython2.3],
- AC_CHECK_LIB(python2.5,main,[PYTHON_LIB=-lpython2.5]))
-AC_SUBST(PYTHON_LIB)
-
-
# Kludge for simple server --- FIXME is this the best way to do this?
if test "$ac_cv_lib_socket" = "yes" -a "$ac_cv_lib_nsl" = "yes"; then
@@ -1412,7 +1402,6 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
kdc slave config-files build-tools man doc include
plugins/hostrealm/test
- plugins/locate/python
plugins/localauth/test
plugins/kadm5_hook/test
plugins/pwqual/test
@@ -1427,10 +1416,8 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
plugins/kdb/db2/libdb2/recno
plugins/kdb/db2/libdb2/test
plugins/kdb/test
- plugins/preauth/cksum_body
plugins/preauth/otp
plugins/preauth/test
- plugins/preauth/wpse
plugins/authdata/greet_client
plugins/authdata/greet_server
plugins/tls/k5tls
@@ -1449,6 +1436,5 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
tests tests/resolve tests/asn.1 tests/create tests/hammer
tests/verify tests/gssapi tests/dejagnu tests/threads tests/shlib
tests/gss-threads tests/misc
- util/gss-kernel-lib util/collected-client-lib
po
)
diff --git a/src/plugins/locate/python/Makefile.in b/src/plugins/locate/python/Makefile.in
deleted file mode 100644
index ec474bd..0000000
--- a/src/plugins/locate/python/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# The python locate module is not built by default. To build it
-# manally, run "make all-liblinks".
-
-mydir=plugins$(S)locate$(S)python
-BUILDTOP=$(REL)..$(S)..$(S)..
-
-LIBBASE=python
-LIBMAJOR=0
-LIBMINOR=0
-RELDIR=../plugins/locate/python
-MODULE_INSTALL_DIR = $(KRB5_LIBKRB5_MODULE_DIR)
-
-SHLIB_EXPDEPS= $(KRB5_DEPLIB) $(SUPPORT_DEPLIB)
-SHLIB_EXPLIBS= @PYTHON_LIB@ $(KRB5_LIB) $(SUPPORT_LIB)
-
-SRCS= \
- $(srcdir)/py-locate.c
-STLIBOBJS= py-locate.o
-
-clean-unix:: clean-liblinks clean-libs clean-libobjs
-
- at libnover_frag@
- at libobj_frag@
-
diff --git a/src/plugins/locate/python/deps b/src/plugins/locate/python/deps
deleted file mode 100644
index d26a51e..0000000
--- a/src/plugins/locate/python/deps
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-py-locate.so py-locate.po $(OUTPRE)py-locate.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/fake-addrinfo.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h py-locate.c
diff --git a/src/plugins/locate/python/locate-service.py b/src/plugins/locate/python/locate-service.py
deleted file mode 100644
index 53153be..0000000
--- a/src/plugins/locate/python/locate-service.py
+++ /dev/null
@@ -1,77 +0,0 @@
-# Copyright 2006 Massachusetts Institute of Technology.
-# All Rights Reserved.
-#
-# Export of this software from the United States of America may
-# require a specific license from the United States Government.
-# It is the responsibility of any person or organization contemplating
-# export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission. Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose. It is provided "as is" without express
-# or implied warranty.
-
-# possible return values:
-# False: request not handled by this script, try another means
-# empty list: no server available, e.g., TCP KDC in realm with only UDP
-# ordered list of (ip-addr-string, port-number-or-string, socket-type)
-#
-# Field ip-addr-string is a numeric representation of the IPv4 or IPv6
-# address. Field port-number-or-string is, for example, "88" or 88. The
-# socket type is also expressed numerically, SOCK_DGRAM or SOCK_STREAM.
-# It must agree with the supplied socktype value if that is non-zero, but
-# zero must not be used in the returned list.
-#
-# service enum values: kdc=1, master_kdc, kadmin, krb524, kpasswd
-
-from socket import getaddrinfo, SOCK_STREAM, SOCK_DGRAM, AF_INET, AF_INET6
-def locate1 (service, realm, socktype, family):
- if (service == 1 or service == 2) and realm == "ATHENA.MIT.EDU":
- if socktype == SOCK_STREAM: return []
- socktype = SOCK_DGRAM
- result = []
- hlist = (("kerberos.mit.edu", 88), ("kerberos-1.mit.edu", 88),
- ("some-random-name-that-does-not-exist.mit.edu", 12345),
- ("kerberos.mit.edu", 750))
- if service == 2: hlist = (hlist[0],)
- for (hname,hport) in hlist:
- try:
- alist = getaddrinfo(hname, hport, family, socktype)
- for a in alist:
- (fam, stype, proto, canonname, sa) = a
- if fam == AF_INET or fam == AF_INET6:
- addr = sa[0]
- port = sa[1]
- result = result + [(addr, port, stype)]
- except Exception, inst:
-# print "getaddrinfo error for " + hname + ":", inst
- pass # Enh, this is just a demo.
- return result
- if realm == "BOBO.MIT.EDU": return []
- return False
-
-verbose = 0
-servicenames = { 1: "kdc", 2: "master_kdc", 3: "kadmin", 4: "krb524", 5: "kpasswd" }
-socktypenames = { SOCK_STREAM: "STREAM", SOCK_DGRAM: "DGRAM" }
-familynames = { 0: "UNSPEC", AF_INET: "INET", AF_INET6: "INET6" }
-
-def locate (service, realm, socktype, family):
- socktypename = socktype
- if socktype in socktypenames: socktypename = "%s(%d)" % (socktypenames[socktype], socktype)
- familyname = family
- if family in familynames: familyname = "%s(%d)" % (familynames[family], family)
- servicename = service
- if service in servicenames: servicename = "%s(%d)" % (servicenames[service], service)
- if verbose: print "locate called with service", servicename, "realm", realm, "socktype", socktypename, "family", familyname
- result = locate1 (service, realm, socktype, family)
- if verbose: print "locate result is", result
- return result
diff --git a/src/plugins/locate/python/py-locate.c b/src/plugins/locate/python/py-locate.c
deleted file mode 100644
index 7273026..0000000
--- a/src/plugins/locate/python/py-locate.c
+++ /dev/null
@@ -1,323 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* plugins/locate/python/py-locate.c */
-/*
- * Copyright 2006, 2007 Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/* This is a demo module. The error checking is incomplete, there's
- no exception handling, and it wouldn't surprise me in the least if
- there are more bugs in the refcount maintenance.
-
- But it will demonstrate (1) the plugin interface for locating a KDC
- or other Kerberos-related service, and (2) that it's possible for
- these plugins to call out to scripts in various languages for
- prototyping or whatever.
-
- Some notes:
-
- If delayed initialization is not done, and the script is executed
- when this module is loaded, loading other Python modules may not
- work, if they include object code referencing the Python symbols.
- Under glibc at least, it appears that the symbols of this module
- aren't available to random dlopen/dlsym calls until loading
- finishes, including the initialization routine. It's completely
- logical -- in fact, I'd be concerned if it were otherwise. But not
- obvious if you're not thinking about it.
-
- Actually, sometimes even with delayed initialization it could be a
- problem.
-
- You may be able to work around it with something like:
- % env LD_PRELOAD=/usr/lib/libpython2.3.so.1.0 kinit ...blah...
-
- This module seems rather sensitive to bugs in the Python code. If
- it's not correct, you may get core dumps, Python GC errors, etc.
- Probably more signs of bugs in this code.
-
- All of the -1 returns should be cleaned up and made to return
- real error codes, with appropriate output if debugging is enabled.
-
- Blah. */
-
-/* Include Python.h before autoconf.h, because our autoconf.h seems
- to confuse Python's headers. */
-#include <autoconf.h>
-#if HAVE_PYTHON_H
-#include <Python.h>
-#elif HAVE_PYTHON2_3_PYTHON_H
-#include <python2.3/Python.h>
-#elif HAVE_PYTHON2_5_PYTHON_H
-#include <python2.5/Python.h>
-#else
-#error "Where's the Python header file?"
-#endif
-#include <errno.h>
-#include "k5-platform.h" /* for init/fini macros */
-#include "fake-addrinfo.h"
-
-#include <krb5/locate_plugin.h>
-
-#define LIBDIR "/tmp" /* should be imported from configure */
-#define SCRIPT_PATH LIBDIR "/krb5/locate-service.py"
-#define LOOKUP_FUNC_NAME "locate"
-
-static PyObject *locatefn;
-
-MAKE_INIT_FUNCTION(my_init);
-MAKE_FINI_FUNCTION(my_fini);
-
-#define F (strchr(__FILE__, '/') ? 1 + strrchr(__FILE__, '/') : __FILE__)
-
-static krb5_context sctx; /* XXX ugly hack! */
-
-int
-my_init(void)
-{
- PyObject *mainmodule;
- FILE *f;
-
- Py_Initialize ();
-// fprintf(stderr, "trying to load %s\n", SCRIPT_PATH);
- f = fopen(SCRIPT_PATH, "r");
- if (f == NULL) {
- if (sctx)
- krb5_set_error_message(sctx, -1,
- "couldn't open Python script %s (%s)",
- SCRIPT_PATH, strerror(errno));
- return -1;
- }
- set_cloexec_file(f);
- PyRun_SimpleFile (f, SCRIPT_PATH);
- fclose(f);
- mainmodule = PyModule_GetDict(PyImport_AddModule("__main__"));
- if (PyErr_Occurred()) { fprintf(stderr,"%s:%d: python error\n", F, __LINE__); PyErr_Print(); return -1; }
- locatefn = PyDict_GetItemString (mainmodule, LOOKUP_FUNC_NAME);
- if (PyErr_Occurred()) { fprintf(stderr,"%s:%d: python error\n", F, __LINE__); PyErr_Print(); return -1; }
- /* Don't DECREF mainmodule, it's sometimes causing crashes. */
- if (locatefn == 0)
- return -1;
- if (!PyCallable_Check (locatefn)) {
- Py_DECREF (locatefn);
- locatefn = 0;
- return -1;
- }
- if (PyErr_Occurred()) { fprintf(stderr,"%s:%d: python error\n", F, __LINE__); PyErr_Print(); return -1; }
- return 0;
-}
-
-void
-my_fini(void)
-{
-// fprintf(stderr, "%s:%d: Python module finalization\n", F, __LINE__);
- if (! INITIALIZER_RAN (my_init))
- return;
- Py_DECREF (locatefn);
- locatefn = 0;
- Py_Finalize ();
-}
-
-static krb5_error_code
-ctxinit(krb5_context ctx, void **blobptr)
-{
- /* If we wanted to create a separate Python interpreter instance,
- look up the pathname of the script in the config file used for
- the current krb5_context, and load the script in that
- interpreter, this would be a good place for it; the blob could
- be allocated to hold the reference to the interpreter
- instance. */
- *blobptr = ctx;
- return 0;
-}
-
-static void
-ctxfini(void *blob)
-{
-}
-
-/* Special return codes:
-
- 0: We set a (possibly empty) set of server locations in the result
- field. If the server location set is empty, that means there
- aren't any servers, *not* that we should try the krb5.conf file or
- DNS or something.
-
- KRB5_PLUGIN_NO_HANDLE: This realm or service isn't handled here,
- try some other means.
-
- Other: Some error happened here. It may be reported, if the
- service can't be located by other means. (In this implementation,
- the catch-all error code returned in a bunch of places is -1, which
- isn't going to be very useful to the caller.) */
-
-static krb5_error_code
-lookup(void *blob, enum locate_service_type svc, const char *realm,
- int socktype, int family,
- int (*cbfunc)(void *, int, struct sockaddr *), void *cbdata)
-{
- PyObject *py_result, *svcarg, *realmarg, *arglist;
- int listsize, i, x;
- struct addrinfo aihints, *airesult;
- int thissocktype;
-
-// fprintf(stderr, "%s:%d: lookup(%d,%s,%d,%d)\n", F, __LINE__,
-// svc, realm, socktype, family);
- sctx = blob; /* XXX: Not thread safe! */
- i = CALL_INIT_FUNCTION (my_init);
- if (i) {
-#if 0
- fprintf(stderr, "%s:%d: module initialization failed\n", F, __LINE__);
-#endif
- return i;
- }
- if (locatefn == 0)
- return KRB5_PLUGIN_NO_HANDLE;
- svcarg = PyInt_FromLong (svc);
- /* error? */
- realmarg = PyString_FromString ((char *) realm);
- /* error? */
- arglist = PyTuple_New (4);
- /* error? */
-
- PyTuple_SetItem (arglist, 0, svcarg);
- PyTuple_SetItem (arglist, 1, realmarg);
- PyTuple_SetItem (arglist, 2, PyInt_FromLong (socktype));
- PyTuple_SetItem (arglist, 3, PyInt_FromLong (family));
- /* references handed off, no decref */
-
- py_result = PyObject_CallObject (locatefn, arglist);
- Py_DECREF (arglist);
- if (PyErr_Occurred()) {
- fprintf(stderr,"%s:%d: python error\n", F, __LINE__);
- PyErr_Print();
- krb5_set_error_message(blob, -1,
- "Python evaluation error, see stderr");
- return -1;
- }
- if (py_result == 0) {
- fprintf(stderr, "%s:%d: returned null object\n", F, __LINE__);
- return -1;
- }
- if (py_result == Py_False)
- return KRB5_PLUGIN_NO_HANDLE;
- if (! PyList_Check (py_result)) {
- Py_DECREF (py_result);
- fprintf(stderr, "%s:%d: returned non-list, non-False\n", F, __LINE__);
- krb5_set_error_message(blob, -1,
- "Python script error -- returned non-list, non-False result");
- return -1;
- }
- listsize = PyList_Size (py_result);
- /* allocate */
- memset(&aihints, 0, sizeof(aihints));
- aihints.ai_flags = AI_NUMERICHOST;
- aihints.ai_family = family;
- for (i = 0; i < listsize; i++) {
- PyObject *answer, *field;
- char *hoststr, *portstr, portbuf[3*sizeof(long) + 4];
- int cbret;
-
- answer = PyList_GetItem (py_result, i);
- if (! PyTuple_Check (answer)) {
- krb5_set_error_message(blob, -1,
- "Python script error -- returned item %d not a tuple", i);
- /* leak? */
- return -1;
- }
- if (PyTuple_Size (answer) != 3) {
- krb5_set_error_message(blob, -1,
- "Python script error -- returned tuple %d size %d should be 3",
- i, PyTuple_Size (answer));
- /* leak? */
- return -1;
- }
- field = PyTuple_GetItem (answer, 0);
- if (! PyString_Check (field)) {
- /* leak? */
- krb5_set_error_message(blob, -1,
- "Python script error -- first component of tuple %d is not a string",
- i);
- return -1;
- }
- hoststr = PyString_AsString (field);
- field = PyTuple_GetItem (answer, 1);
- if (PyString_Check (field)) {
- portstr = PyString_AsString (field);
- } else if (PyInt_Check (field)) {
- snprintf(portbuf, sizeof(portbuf), "%ld", PyInt_AsLong (field));
- portstr = portbuf;
- } else {
- krb5_set_error_message(blob, -1,
- "Python script error -- second component of tuple %d neither a string nor an integer",
- i);
- /* leak? */
- return -1;
- }
- field = PyTuple_GetItem (answer, 2);
- if (! PyInt_Check (field)) {
- krb5_set_error_message(blob, -1,
- "Python script error -- third component of tuple %d not an integer",
- i);
- /* leak? */
- return -1;
- }
- thissocktype = PyInt_AsLong (field);
- switch (thissocktype) {
- case SOCK_STREAM:
- case SOCK_DGRAM:
- /* okay */
- if (socktype != 0 && socktype != thissocktype) {
- krb5_set_error_message(blob, -1,
- "Python script error -- tuple %d has socket type %d, should only have %d",
- i, thissocktype, socktype);
- /* leak? */
- return -1;
- }
- break;
- default:
- /* 0 is not acceptable */
- krb5_set_error_message(blob, -1,
- "Python script error -- tuple %d has invalid socket type %d",
- i, thissocktype);
- /* leak? */
- return -1;
- }
- aihints.ai_socktype = thissocktype;
- aihints.ai_flags = AI_ADDRCONFIG;
- x = getaddrinfo (hoststr, portstr, &aihints, &airesult);
- if (x != 0)
- continue;
- cbret = cbfunc(cbdata, airesult->ai_socktype, airesult->ai_addr);
- freeaddrinfo(airesult);
- if (cbret != 0)
- break;
- }
- Py_DECREF (py_result);
- return 0;
-}
-
-const krb5plugin_service_locate_ftable service_locator = {
- /* version */
- 0,
- /* functions */
- ctxinit, ctxfini, lookup,
-};
diff --git a/src/plugins/locate/python/python.exports b/src/plugins/locate/python/python.exports
deleted file mode 100644
index 60ff46e..0000000
--- a/src/plugins/locate/python/python.exports
+++ /dev/null
@@ -1 +0,0 @@
-service_locator
diff --git a/src/plugins/preauth/cksum_body/Makefile.in b/src/plugins/preauth/cksum_body/Makefile.in
deleted file mode 100644
index 45cceb7..0000000
--- a/src/plugins/preauth/cksum_body/Makefile.in
+++ /dev/null
@@ -1,26 +0,0 @@
-# The cksum_body preauth module is not built by default. To build it
-# manually, run "make all-libs".
-
-mydir=plugins$(S)preauth$(S)cksum_body
-BUILDTOP=$(REL)..$(S)..$(S)..
-MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR)
-
-LIBBASE=cksum_body
-LIBMAJOR=0
-LIBMINOR=0
-RELDIR=../plugins/preauth/cksum_body
-# Depends on libk5crypto and libkrb5
-SHLIB_EXPDEPS = \
- $(TOPLIBD)/libk5crypto$(SHLIBEXT) \
- $(TOPLIBD)/libkrb5$(SHLIBEXT)
-SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS)
-
-STLIBOBJS=cksum_body_main.o
-
-SRCS= $(srcdir)/cksum_body_main.c
-
-clean-unix:: clean-libs clean-libobjs
-
- at libnover_frag@
- at libobj_frag@
-
diff --git a/src/plugins/preauth/cksum_body/cksum_body.exports b/src/plugins/preauth/cksum_body/cksum_body.exports
deleted file mode 100644
index df335ca..0000000
--- a/src/plugins/preauth/cksum_body/cksum_body.exports
+++ /dev/null
@@ -1,2 +0,0 @@
-clpreauth_cksum_body_initvt
-kdcpreauth_cksum_body_initvt
diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c
deleted file mode 100644
index ed2b5b4..0000000
--- a/src/plugins/preauth/cksum_body/cksum_body_main.c
+++ /dev/null
@@ -1,611 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 2006 Red Hat, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Checksum the request body with the user's long-term key.
- *
- * The e-data from the KDC is a list of network-byte-order 32-bit integers
- * listing key types which the KDC has for the user.
- *
- * The client uses one of these key types to generate a checksum over the body
- * of the request, and includes the checksum in the AS-REQ as preauthentication
- * data.
- *
- * The AS-REP carries no preauthentication data for this scheme.
- */
-
-#ident "$Id: cksum_body_main.c,v 1.4 2007/01/02 22:33:50 kwc Exp $"
-
-#include "autoconf.h"
-
-#ifdef HAVE_ERRNO_H
-#include <errno.h>
-#endif
-#ifdef HAVE_STRING_H
-#include <string.h>
-#endif
-
-#include <arpa/inet.h>
-#include <stdio.h>
-
-#include <krb5/krb5.h>
-#include <krb5/preauth_plugin.h>
-
-/* This is not a standardized value. It's defined here only to make it easier
- * to change in this module. */
-#define KRB5_PADATA_CKSUM_BODY_REQ 130
-
-struct server_stats{
- int successes, failures;
-};
-
-typedef struct _test_svr_req_ctx {
- int value1;
- int value2;
-} test_svr_req_ctx;
-
-static int
-client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type)
-{
- return PA_REAL;
-}
-
-static krb5_error_code
-client_process(krb5_context kcontext,
- krb5_clpreauth_moddata moddata,
- krb5_clpreauth_modreq modreq,
- krb5_get_init_creds_opt *opt,
- krb5_clpreauth_callbacks cb,
- krb5_clpreauth_rock rock,
- krb5_kdc_req *request,
- krb5_data *encoded_request_body,
- krb5_data *encoded_previous_request,
- krb5_pa_data *pa_data,
- krb5_prompter_fct prompter,
- void *prompter_data,
- krb5_pa_data ***out_pa_data)
-{
- krb5_pa_data **send_pa;
- krb5_checksum checksum;
- krb5_cksumtype *cksumtypes;
- krb5_error_code status = 0;
- krb5_int32 cksumtype;
- unsigned int i, cksumtype_count;
- int num_gic_info = 0;
- krb5_gic_opt_pa_data *gic_info;
- krb5_keyblock *as_key;
-
- status = krb5_get_init_creds_opt_get_pa(kcontext, opt,
- &num_gic_info, &gic_info);
- if (status && status != ENOENT) {
-#ifdef DEBUG
- fprintf(stderr, "Error from krb5_get_init_creds_opt_get_pa: %s\n",
- error_message(status));
-#endif
- return status;
- }
-#ifdef DEBUG
- fprintf(stderr, "(cksum_body) Got the following gic options:\n");
-#endif
- for (i = 0; i < num_gic_info; i++) {
-#ifdef DEBUG
- fprintf(stderr, " '%s' = '%s'\n", gic_info[i].attr, gic_info[i].value);
-#endif
- }
- krb5_get_init_creds_opt_free_pa(kcontext, num_gic_info, gic_info);
-
- memset(&checksum, 0, sizeof(checksum));
-
- status = cb->get_as_key(kcontext, rock, &as_key);
- if (status != 0)
- return status;
-#ifdef DEBUG
- fprintf(stderr, "Got AS key (type = %d).\n", as_key->enctype);
-#endif
-
- /* Determine an appropriate checksum type for this key. */
- cksumtype_count = 0;
- cksumtypes = NULL;
- status = krb5_c_keyed_checksum_types(kcontext, as_key->enctype,
- &cksumtype_count, &cksumtypes);
- if (status != 0)
- return status;
-
- /* Generate the checksum. */
- for (i = 0; i < cksumtype_count; i++) {
- status = krb5_c_make_checksum(kcontext, cksumtypes[i], as_key,
- KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
- encoded_request_body,
- &checksum);
- if (status == 0) {
-#ifdef DEBUG
- fprintf(stderr, "Made checksum (type = %d, %d bytes).\n",
- checksum.checksum_type, encoded_request_body->length);
-#endif
- break;
- }
- }
- cksumtype = htonl(cksumtypes[i]);
- krb5_free_cksumtypes(kcontext, cksumtypes);
- if (status != 0) {
- if (checksum.length > 0)
- krb5_free_checksum_contents(kcontext, &checksum);
- return status;
- }
-
- /* Allocate the preauth data structure. */
- send_pa = malloc(2 * sizeof(krb5_pa_data *));
- if (send_pa == NULL) {
- krb5_free_checksum_contents(kcontext, &checksum);
- return ENOMEM;
- }
- send_pa[1] = NULL; /* Terminate list */
- send_pa[0] = malloc(sizeof(krb5_pa_data));
- if (send_pa[0] == NULL) {
- krb5_free_checksum_contents(kcontext, &checksum);
- free(send_pa);
- return ENOMEM;
- }
- send_pa[0]->pa_type = KRB5_PADATA_CKSUM_BODY_REQ;
- send_pa[0]->length = 4 + checksum.length;
- send_pa[0]->contents = malloc(4 + checksum.length);
- if (send_pa[0]->contents == NULL) {
- krb5_free_checksum_contents(kcontext, &checksum);
- free(send_pa[0]);
- free(send_pa);
- return ENOMEM;
- }
-
- /* Store the checksum. */
- memcpy(send_pa[0]->contents, &cksumtype, 4);
- memcpy(send_pa[0]->contents + 4, checksum.contents, checksum.length);
- *out_pa_data = send_pa;
-
- /* Clean up. */
- krb5_free_checksum_contents(kcontext, &checksum);
-
- return 0;
-}
-
-static krb5_error_code
-client_gic_opt(krb5_context kcontext,
- krb5_clpreauth_moddata moddata,
- krb5_get_init_creds_opt *opt,
- const char *attr,
- const char *value)
-{
-#ifdef DEBUG
- fprintf(stderr, "(cksum_body) client_gic_opt: received '%s' = '%s'\n",
- attr, value);
-#endif
- return 0;
-}
-
-/* Initialize and tear down the server-side module, and do stat tracking. */
-static krb5_error_code
-server_init(krb5_context kcontext, krb5_kdcpreauth_moddata *moddata_out,
- const char **realmnames)
-{
- struct server_stats *stats;
- stats = malloc(sizeof(struct server_stats));
- if (stats == NULL)
- return ENOMEM;
- stats->successes = 0;
- stats->failures = 0;
- *moddata_out = (krb5_kdcpreauth_moddata)stats;
- return 0;
-}
-static void
-server_fini(krb5_context kcontext, krb5_kdcpreauth_moddata moddata)
-{
- struct server_stats *stats;
- stats = (struct server_stats *)moddata;
- if (stats != NULL) {
-#ifdef DEBUG
- fprintf(stderr, "Total: %d clients failed, %d succeeded.\n",
- stats->failures, stats->successes);
-#endif
- free(stats);
- }
-}
-
-/* Obtain and return any preauthentication data (which is destined for the
- * client) which matches type data->pa_type. */
-static void
-server_get_edata(krb5_context kcontext, krb5_kdc_req *request,
- krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
- krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
- krb5_kdcpreauth_edata_respond_fn respond, void *arg)
-{
- krb5_keyblock *keys;
- krb5_int32 *enctypes, enctype;
- krb5_pa_data *data;
- int i;
-
- /* Retrieve the client's keys. */
- if (cb->client_keys(kcontext, rock, &keys) != 0) {
-#ifdef DEBUG
- fprintf(stderr, "Error retrieving client keys.\n");
-#endif
- (*respond)(arg, KRB5KDC_ERR_PADATA_TYPE_NOSUPP, NULL);
- return;
- }
-
- /* Count which types of keys we've got. */
- for (i = 0; keys[i].enctype != 0; i++);
-
- /* Return the list of encryption types. */
- enctypes = malloc((unsigned)i * 4);
- if (enctypes == NULL) {
- cb->free_keys(kcontext, rock, keys);
- (*respond)(arg, ENOMEM, NULL);
- return;
- }
-#ifdef DEBUG
- fprintf(stderr, "Supported enctypes = {");
-#endif
- for (i = 0; keys[i].enctype != 0; i++) {
-#ifdef DEBUG
- fprintf(stderr, "%s%d", (i > 0) ? ", " : "", keys[i].enctype);
-#endif
- enctype = htonl(keys[i].enctype);
- memcpy(&enctypes[i], &enctype, 4);
- }
-#ifdef DEBUG
- fprintf(stderr, "}.\n");
-#endif
- cb->free_keys(kcontext, rock, keys);
- data = malloc(sizeof(*data));
- if (data == NULL) {
- free(enctypes);
- (*respond)(arg, ENOMEM, NULL);
- }
- data->magic = KV5M_PA_DATA;
- data->pa_type = KRB5_PADATA_CKSUM_BODY_REQ;
- data->length = (i * 4);
- data->contents = (unsigned char *) enctypes;
- (*respond)(arg, 0, data);
-}
-
-/* Verify a request from a client. */
-static void
-server_verify(krb5_context kcontext,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply,
- krb5_pa_data *data,
- krb5_kdcpreauth_callbacks cb,
- krb5_kdcpreauth_rock rock,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_verify_respond_fn respond,
- void *arg)
-{
- krb5_int32 cksumtype;
- krb5_checksum checksum;
- krb5_boolean valid;
- krb5_data *req_body;
- krb5_keyblock *keys, *key;
- size_t length;
- unsigned int i, cksumtypes_count;
- krb5_cksumtype *cksumtypes;
- krb5_error_code status;
- struct server_stats *stats;
- test_svr_req_ctx *svr_req_ctx;
- krb5_authdata **my_authz_data = NULL;
-
- stats = (struct server_stats *)moddata;
-
-#ifdef DEBUG
- fprintf(stderr, "cksum_body: server_verify\n");
-#endif
- /* Verify the preauth data. Start with the checksum type. */
- if (data->length < 4) {
- stats->failures++;
- (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL);
- return;
- }
- memcpy(&cksumtype, data->contents, 4);
- memset(&checksum, 0, sizeof(checksum));
- checksum.checksum_type = ntohl(cksumtype);
-
- /* Verify that the amount of data we have left is what we expect. */
- if (krb5_c_checksum_length(kcontext, checksum.checksum_type,
- &length) != 0) {
-#ifdef DEBUG
- fprintf(stderr, "Error determining checksum size (type = %d). "
- "Is it supported?\n", checksum.checksum_type);
-#endif
- stats->failures++;
- (*respond)(arg, KRB5KDC_ERR_SUMTYPE_NOSUPP, NULL, NULL, NULL);
- return;
- }
- if (data->length - 4 != length) {
-#ifdef DEBUG
- fprintf(stderr, "Checksum size doesn't match client packet size.\n");
-#endif
- stats->failures++;
- (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL);
- return;
- }
- checksum.length = length;
-
- /* Pull up the client's keys. */
- if (cb->client_keys(kcontext, rock, &keys) != 0) {
-#ifdef DEBUG
- fprintf(stderr, "Error retrieving client keys.\n");
-#endif
- stats->failures++;
- (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL);
- return;
- }
-
- /* Find the key which would have been used to generate the checksum. */
- for (key = keys; key->enctype != 0; key++) {
- cksumtypes_count = 0;
- cksumtypes = NULL;
- if (krb5_c_keyed_checksum_types(kcontext, key->enctype,
- &cksumtypes_count, &cksumtypes) != 0)
- continue;
- for (i = 0; i < cksumtypes_count; i++) {
- if (cksumtypes[i] == checksum.checksum_type)
- break;
- }
- if (cksumtypes != NULL)
- krb5_free_cksumtypes(kcontext, cksumtypes);
- if (i < cksumtypes_count) {
-#ifdef DEBUG
- fprintf(stderr, "Found checksum key.\n");
-#endif
- break;
- }
- }
- if (key->enctype == 0) {
- cb->free_keys(kcontext, rock, keys);
- stats->failures++;
- (*respond)(arg, KRB5KDC_ERR_SUMTYPE_NOSUPP, NULL, NULL, NULL);
- return;
- }
-
- /* Save a copy of the key. */
- if (krb5_copy_keyblock(kcontext, keys, &key) != 0) {
- cb->free_keys(kcontext, rock, keys);
- stats->failures++;
- (*respond)(arg, KRB5KDC_ERR_SUMTYPE_NOSUPP, NULL, NULL, NULL);
- return;
- }
- cb->free_keys(kcontext, rock, keys);
-
- req_body = cb->request_body(kcontext, rock);
-
-#ifdef DEBUG
- fprintf(stderr, "AS key type %d, checksum type %d, %d bytes.\n",
- key->enctype, checksum.checksum_type, req_body->length);
-#endif
-
- /* Verify the checksum itself. */
- checksum.contents = data->contents + 4;
- valid = FALSE;
- status = krb5_c_verify_checksum(kcontext, key,
- KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
- req_body, &checksum, &valid);
-
- /* Clean up. */
- krb5_free_keyblock(kcontext, key);
-
- /* Evaluate our results. */
- if ((status != 0) || (!valid)) {
-#ifdef DEBUG
- if (status != 0) {
- fprintf(stderr, "Error in checksum verification.\n");
- } else {
- fprintf(stderr, "Checksum mismatch.\n");
- }
-#endif
- stats->failures++;
- (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL);
- return;
- }
-
- /*
- * Return some junk authorization data just to exercise the
- * code path handling the returned authorization data.
- *
- * NOTE that this is NOT VALID authorization data!
- */
-#ifdef DEBUG
- fprintf(stderr, "cksum_body: doing authorization data!\n");
-#endif
- my_authz_data = malloc(2 * sizeof(*my_authz_data));
- if (my_authz_data != NULL) {
-#if 1 /* USE_5000_AD */
-#define AD_ALLOC_SIZE 5000
- /* ad_header consists of a sequence tag (0x30) and length
- * (0x82 0x1384) followed by octet string tag (0x04) and
- * length (0x82 0x1380) */
- krb5_octet ad_header[] = {0x30, 0x82, 0x13, 0x84, 0x04, 0x82, 0x13, 0x80};
-#else
-#define AD_ALLOC_SIZE 100
- /* ad_header consists of a sequence tag (0x30) and length
- * (0x62) followed by octet string tag (0x04) and length
- * (0x60) */
- krb5_octet ad_header[] = {0x30, 0x62, 0x04, 0x60};
-#endif
-
- my_authz_data[1] = NULL;
- my_authz_data[0] = malloc(sizeof(krb5_authdata));
- if (my_authz_data[0] == NULL) {
- free(my_authz_data);
- (*respond)(arg, ENOMEM, NULL, NULL, NULL);
- return;
- }
- my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE);
- if (my_authz_data[0]->contents == NULL) {
- free(my_authz_data[0]);
- free(my_authz_data);
- (*respond)(arg, ENOMEM, NULL, NULL, NULL);
- return;
- }
- memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE);
- my_authz_data[0]->magic = KV5M_AUTHDATA;
- my_authz_data[0]->ad_type = 1;
- my_authz_data[0]->length = AD_ALLOC_SIZE;
- memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header));
- snprintf(my_authz_data[0]->contents + sizeof(ad_header),
- AD_ALLOC_SIZE - sizeof(ad_header),
- "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
-#ifdef DEBUG
- fprintf(stderr, "Returning %d bytes of authorization data\n",
- AD_ALLOC_SIZE);
-#endif
- }
-
- /* Return a request context to exercise code that handles it */
- svr_req_ctx = malloc(sizeof(*svr_req_ctx));
- if (svr_req_ctx != NULL) {
- svr_req_ctx->value1 = 111111;
- svr_req_ctx->value2 = 222222;
-#ifdef DEBUG
- fprintf(stderr, "server_verify: returning context at %p\n",
- svr_req_ctx);
-#endif
- }
-
- /* Note that preauthentication succeeded. */
- enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
- stats->successes++;
- (*respond)(arg, 0, (krb5_kdcpreauth_modreq)svr_req_ctx, NULL, my_authz_data);
-}
-
-/* Create the response for a client. */
-static krb5_error_code
-server_return(krb5_context kcontext,
- krb5_pa_data *padata,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_kdc_rep *reply,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- krb5_kdcpreauth_callbacks cb,
- krb5_kdcpreauth_rock rock,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_modreq modreq)
-{
- /* We don't need to send data back on the return trip. */
- *send_pa = NULL;
- return 0;
-}
-
-/* Test server request context freeing */
-static void
-server_free_modreq(krb5_context kcontext,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_modreq modreq)
-{
- test_svr_req_ctx *svr_req_ctx;
-#ifdef DEBUG
- fprintf(stderr, "server_free_modreq: entered!\n");
-#endif
- if (modreq == NULL)
- return;
-
- svr_req_ctx = (test_svr_req_ctx *)modreq;
- if (svr_req_ctx == NULL)
- return;
-
- if (svr_req_ctx->value1 != 111111 || svr_req_ctx->value2 != 222222) {
- fprintf(stderr, "server_free_modreq: got invalid req context "
- "at %p with values %d and %d\n",
- svr_req_ctx, svr_req_ctx->value1, svr_req_ctx->value2);
- return;
- }
-#ifdef DEBUG
- fprintf(stderr, "server_free_modreq: freeing context at %p\n", svr_req_ctx);
-#endif
- free(svr_req_ctx);
-}
-
-static int
-server_get_flags(krb5_context kcontext, krb5_preauthtype pa_type)
-{
- return PA_SUFFICIENT;
-}
-
-static krb5_preauthtype supported_client_pa_types[] = {
- KRB5_PADATA_CKSUM_BODY_REQ, 0,
-};
-static krb5_preauthtype supported_server_pa_types[] = {
- KRB5_PADATA_CKSUM_BODY_REQ, 0,
-};
-
-krb5_error_code
-clpreauth_cksum_body_initvt(krb5_context context, int maj_ver,
- int min_ver, krb5_plugin_vtable vtable);
-krb5_error_code
-kdcpreauth_cksum_body_initvt(krb5_context context, int maj_ver,
- int min_ver, krb5_plugin_vtable vtable);
-
-krb5_error_code
-clpreauth_cksum_body_initvt(krb5_context context, int maj_ver,
- int min_ver, krb5_plugin_vtable vtable)
-{
- krb5_clpreauth_vtable vt;
-
- if (maj_ver != 1)
- return KRB5_PLUGIN_VER_NOTSUPP;
- vt = (krb5_clpreauth_vtable)vtable;
- vt->name = "cksum_body";
- vt->pa_type_list = supported_client_pa_types;
- vt->flags = client_get_flags;
- vt->process = client_process;
- vt->gic_opts = client_gic_opt;
- return 0;
-}
-
-krb5_error_code
-kdcpreauth_cksum_body_initvt(krb5_context context, int maj_ver,
- int min_ver, krb5_plugin_vtable vtable)
-{
- krb5_kdcpreauth_vtable vt;
-
- if (maj_ver != -1)
- return KRB5_PLUGIN_VER_NOTSUPP;
- vt = (krb5_kdcpreauth_vtable)vtable;
- vt->name = "cksum_body";
- vt->pa_type_list = supported_server_pa_types;
- vt->init = server_init;
- vt->fini = server_fini;
- vt->flags = server_get_flags;
- vt->edata = server_get_edata;
- vt->verify = server_verify;
- vt->return_padata = server_return;
- vt->free_modreq = server_free_modreq;
- return 0;
-}
diff --git a/src/plugins/preauth/cksum_body/deps b/src/plugins/preauth/cksum_body/deps
deleted file mode 100644
index 7ee4121..0000000
--- a/src/plugins/preauth/cksum_body/deps
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-cksum_body_main.so cksum_body_main.po $(OUTPRE)cksum_body_main.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/krb5/clpreauth_plugin.h \
- $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h cksum_body_main.c
diff --git a/src/plugins/preauth/wpse/Makefile.in b/src/plugins/preauth/wpse/Makefile.in
deleted file mode 100644
index ab7c744..0000000
--- a/src/plugins/preauth/wpse/Makefile.in
+++ /dev/null
@@ -1,26 +0,0 @@
-# The Worst Preauthentication Scheme Ever is not built by default. To
-# build it manually, run "make all-libs".
-
-mydir=plugins$(S)preauth$(S)wpse
-BUILDTOP=$(REL)..$(S)..$(S)..
-MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR)
-
-LIBBASE=wpse
-LIBMAJOR=0
-LIBMINOR=0
-RELDIR=../plugins/preauth/wpse
-# Depends on libk5crypto and libkrb5
-SHLIB_EXPDEPS = \
- $(TOPLIBD)/libk5crypto$(SHLIBEXT) \
- $(TOPLIBD)/libkrb5$(SHLIBEXT)
-SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS)
-
-STLIBOBJS=wpse_main.o
-
-SRCS=wpse_main.c
-
-clean-unix:: clean-libs clean-libobjs
-
- at libnover_frag@
- at libobj_frag@
-
diff --git a/src/plugins/preauth/wpse/deps b/src/plugins/preauth/wpse/deps
deleted file mode 100644
index 64f5f2a..0000000
--- a/src/plugins/preauth/wpse/deps
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-wpse_main.so wpse_main.po $(OUTPRE)wpse_main.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/krb5/preauth_plugin.h \
- wpse_main.c
diff --git a/src/plugins/preauth/wpse/wpse.exports b/src/plugins/preauth/wpse/wpse.exports
deleted file mode 100644
index 4cc48a8..0000000
--- a/src/plugins/preauth/wpse/wpse.exports
+++ /dev/null
@@ -1,2 +0,0 @@
-clpreauth_wpse_initvt
-kdcpreauth_wpse_initvt
diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c
deleted file mode 100644
index c14ec75..0000000
--- a/src/plugins/preauth/wpse/wpse_main.c
+++ /dev/null
@@ -1,477 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 2006 Red Hat, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* Worst. Preauthentication. Scheme. Ever. */
-
-#ident "$Id: wpse_main.c,v 1.3 2007/01/02 22:33:51 kwc Exp $"
-
-#include "autoconf.h"
-
-#ifdef HAVE_ERRNO_H
-#include <errno.h>
-#endif
-#ifdef HAVE_STRING_H
-#include <string.h>
-#endif
-
-#include <arpa/inet.h>
-#include <stdio.h>
-
-#include <krb5/krb5.h>
-#include <krb5/preauth_plugin.h>
-
-/* This is not a standardized value. It's defined here only to make it easier
- * to change in this module. */
-#define KRB5_PADATA_WPSE_REQ 131
-
-static int
-client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type)
-{
- return PA_REAL;
-}
-
-static krb5_error_code
-client_init(krb5_context kcontext, krb5_clpreauth_moddata *moddata_out)
-{
- int *pctx;
-
- pctx = malloc(sizeof(int));
- if (pctx == NULL)
- return ENOMEM;
- *pctx = 0;
- *moddata_out = (krb5_clpreauth_moddata)pctx;
- return 0;
-}
-
-static void
-client_fini(krb5_context kcontext, krb5_clpreauth_moddata moddata)
-{
- int *pctx;
-
- pctx = (int *)moddata;
- if (pctx) {
-#ifdef DEBUG
- fprintf(stderr, "wpse module called total of %d times\n", *pctx);
-#endif
- free(pctx);
- }
-}
-
-static krb5_error_code
-client_process(krb5_context kcontext,
- krb5_clpreauth_moddata moddata,
- krb5_clpreauth_modreq modreq,
- krb5_get_init_creds_opt *opt,
- krb5_clpreauth_callbacks cb,
- krb5_clpreauth_rock rock,
- krb5_kdc_req *request,
- krb5_data *encoded_request_body,
- krb5_data *encoded_previous_request,
- krb5_pa_data *pa_data,
- krb5_prompter_fct prompter,
- void *prompter_data,
- krb5_pa_data ***out_pa_data)
-{
- krb5_pa_data **send_pa;
- krb5_int32 nnonce, enctype;
- krb5_keyblock *kb;
- krb5_error_code status;
- int *pctx;
-
-#ifdef DEBUG
- fprintf(stderr, "%d bytes of preauthentication data (type %d)\n",
- pa_data->length, pa_data->pa_type);
-#endif
-
- pctx = (int *)moddata;
- if (pctx) {
- (*pctx)++;
- }
-
- if (pa_data->length == 0) {
- /* Create preauth data. */
- send_pa = malloc(2 * sizeof(krb5_pa_data *));
- if (send_pa == NULL)
- return ENOMEM;
- send_pa[1] = NULL; /* Terminate list */
- send_pa[0] = malloc(sizeof(krb5_pa_data));
- if (send_pa[0] == NULL) {
- free(send_pa);
- return ENOMEM;
- }
- send_pa[0]->pa_type = KRB5_PADATA_WPSE_REQ;
- send_pa[0]->length = 4;
- send_pa[0]->contents = malloc(4);
- if (send_pa[0]->contents == NULL) {
- free(send_pa[0]);
- free(send_pa);
- return ENOMEM;
- }
- /* Store the preauth data. */
- nnonce = htonl(request->nonce);
- memcpy(send_pa[0]->contents, &nnonce, 4);
- *out_pa_data = send_pa;
- } else {
- /* A reply from the KDC. Conventionally this would be
- * indicated by a different preauthentication type, but this
- * mechanism/implementation doesn't do that. */
- if (pa_data->length > 4) {
- memcpy(&enctype, pa_data->contents, 4);
- kb = NULL;
- status = krb5_init_keyblock(kcontext, ntohl(enctype),
- pa_data->length - 4, &kb);
- if (status != 0)
- return status;
- memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4);
-#ifdef DEBUG
- fprintf(stderr, "Recovered key type=%d, length=%d.\n",
- kb->enctype, kb->length);
-#endif
- status = cb->set_as_key(kcontext, rock, kb);
- krb5_free_keyblock(kcontext, kb);
- return status;
- }
- return KRB5KRB_ERR_GENERIC;
- }
- return 0;
-}
-
-#define WPSE_MAGIC 0x77707365
-typedef struct _wpse_req_ctx
-{
- int magic;
- int value;
-} wpse_req_ctx;
-
-static void
-client_req_init(krb5_context kcontext, krb5_clpreauth_moddata moddata,
- krb5_clpreauth_modreq *modreq_out)
-{
- wpse_req_ctx *ctx;
-
- *modreq_out = NULL;
-
- /* Allocate a request context. Useful for verifying that we do in fact
- * do per-request cleanup. */
- ctx = (wpse_req_ctx *) malloc(sizeof(*ctx));
- if (ctx == NULL)
- return;
- ctx->magic = WPSE_MAGIC;
- ctx->value = 0xc0dec0de;
-
- *modreq_out = (krb5_clpreauth_modreq)ctx;
-}
-
-static void
-client_req_cleanup(krb5_context kcontext, krb5_clpreauth_moddata moddata,
- krb5_clpreauth_modreq modreq)
-{
- wpse_req_ctx *ctx = (wpse_req_ctx *)modreq;
-
- if (ctx) {
-#ifdef DEBUG
- fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n",
- ctx, ctx->magic, ctx->value);
-#endif
- if (ctx->magic != WPSE_MAGIC) {
-#ifdef DEBUG
- fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n",
- ctx, ctx->magic);
-#endif
- return;
- }
- free(ctx);
- }
- return;
-}
-
-static krb5_error_code
-client_gic_opt(krb5_context kcontext,
- krb5_clpreauth_moddata moddata,
- krb5_get_init_creds_opt *opt,
- const char *attr,
- const char *value)
-{
-#ifdef DEBUG
- fprintf(stderr, "(wpse) client_gic_opt: received '%s' = '%s'\n",
- attr, value);
-#endif
- return 0;
-}
-
-
-/* Free state. */
-static void
-server_free_modreq(krb5_context kcontext,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_modreq modreq)
-{
- free(modreq);
-}
-
-/* Obtain and return any preauthentication data (which is destined for the
- * client) which matches type data->pa_type. */
-static void
-server_get_edata(krb5_context kcontext,
- krb5_kdc_req *request,
- krb5_kdcpreauth_callbacks cb,
- krb5_kdcpreauth_rock rock,
- krb5_kdcpreauth_moddata moddata,
- krb5_preauthtype pa_type,
- krb5_kdcpreauth_edata_respond_fn respond,
- void *arg)
-{
- (*respond)(arg, 0, NULL);
-}
-
-/* Verify a request from a client. */
-static void
-server_verify(krb5_context kcontext,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply,
- krb5_pa_data *data,
- krb5_kdcpreauth_callbacks cb,
- krb5_kdcpreauth_rock rock,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_verify_respond_fn respond,
- void *arg)
-{
- krb5_int32 nnonce;
- krb5_authdata **my_authz_data;
- krb5_kdcpreauth_modreq modreq;
-
-#ifdef DEBUG
- fprintf(stderr, "wpse: server_verify()!\n");
-#endif
- /* Verify the preauth data. */
- if (data->length != 4) {
- (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL);
- return;
- }
- memcpy(&nnonce, data->contents, 4);
- nnonce = ntohl(nnonce);
- if (memcmp(&nnonce, &request->nonce, 4) != 0) {
- (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL);
- return;
- }
- /* Note that preauthentication succeeded. */
- enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
- enc_tkt_reply->flags |= TKT_FLG_HW_AUTH;
- /* Allocate a context. Useful for verifying that we do in fact do
- * per-request cleanup. */
- modreq = malloc(4);
-
- /*
- * Return some junk authorization data just to exercise the
- * code path handling the returned authorization data.
- *
- * NOTE that this is NOT VALID authorization data!
- */
-#ifdef DEBUG
- fprintf(stderr, "wpse: doing authorization data!\n");
-#endif
- my_authz_data = malloc(2 * sizeof(*my_authz_data));
- if (my_authz_data != NULL) {
-#if 1 /* USE_5000_AD */
-#define AD_ALLOC_SIZE 5000
- /* ad_header consists of a sequence tag (0x30) and length
- * (0x82 0x1384) followed by octet string tag (0x04) and
- * length (0x82 0x1380) */
- krb5_octet ad_header[] = {0x30, 0x82, 0x13, 0x84, 0x04, 0x82, 0x13, 0x80};
-#else
-#define AD_ALLOC_SIZE 100
- /* ad_header consists of a sequence tag (0x30) and length
- * (0x62) followed by octet string tag (0x04) and length
- * (0x60) */
- krb5_octet ad_header[] = {0x30, 0x62, 0x04, 0x60};
-#endif
-
- my_authz_data[1] = NULL;
- my_authz_data[0] = malloc(sizeof(krb5_authdata));
- if (my_authz_data[0] == NULL) {
- free(my_authz_data);
- (*respond)(arg, ENOMEM, modreq, NULL, NULL);
- return;
- }
- my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE);
- if (my_authz_data[0]->contents == NULL) {
- free(my_authz_data[0]);
- free(my_authz_data);
- (*respond)(arg, ENOMEM, modreq, NULL, NULL);
- return;
- }
- memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE);
- my_authz_data[0]->magic = KV5M_AUTHDATA;
- my_authz_data[0]->ad_type = 1;
- my_authz_data[0]->length = AD_ALLOC_SIZE;
- memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header));
- snprintf(my_authz_data[0]->contents + sizeof(ad_header),
- AD_ALLOC_SIZE - sizeof(ad_header),
- "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
-#ifdef DEBUG
- fprintf(stderr, "Returning %d bytes of authorization data\n",
- AD_ALLOC_SIZE);
-#endif
- }
-
- (*respond)(arg, 0, modreq, NULL, my_authz_data);
-}
-
-/* Create the response for a client. */
-static krb5_error_code
-server_return(krb5_context kcontext,
- krb5_pa_data *padata,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_kdc_rep *reply,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- krb5_kdcpreauth_callbacks cb,
- krb5_kdcpreauth_rock rock,
- krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq)
-{
- /* This module does a couple of dumb things. It tags its reply with
- * the same type as the initial challenge (expecting the client to sort
- * out whether there's anything useful in there). Oh, and it replaces
- * the AS reply key with one which is sent in the clear. */
- krb5_keyblock *kb;
- krb5_int32 enctype;
- int i;
-
- *send_pa = NULL;
-
- /* We'll want a key with the first supported enctype. */
- for (i = 0; i < request->nktypes; i++) {
- kb = NULL;
- if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) {
- break;
- }
- }
- if (i >= request->nktypes) {
- /* No matching cipher type found. */
- return 0;
- }
-
- /* Randomize a key and save it for the client. */
- if (krb5_c_make_random_key(kcontext, request->ktype[i], kb) != 0) {
- krb5_free_keyblock(kcontext, kb);
- return 0;
- }
-#ifdef DEBUG
- fprintf(stderr, "Generated random key, type=%d, length=%d.\n",
- kb->enctype, kb->length);
-#endif
-
- *send_pa = malloc(sizeof(krb5_pa_data));
- if (*send_pa == NULL) {
- krb5_free_keyblock(kcontext, kb);
- return ENOMEM;
- }
- (*send_pa)->pa_type = KRB5_PADATA_WPSE_REQ;
- (*send_pa)->length = 4 + kb->length;
- (*send_pa)->contents = malloc(4 + kb->length);
- if ((*send_pa)->contents == NULL) {
- free(*send_pa);
- *send_pa = NULL;
- krb5_free_keyblock(kcontext, kb);
- return ENOMEM;
- }
-
- /* Store the preauth data. */
- enctype = htonl(kb->enctype);
- memcpy((*send_pa)->contents, &enctype, 4);
- memcpy((*send_pa)->contents + 4, kb->contents, kb->length);
- krb5_free_keyblock_contents(kcontext, encrypting_key);
- krb5_copy_keyblock_contents(kcontext, kb, encrypting_key);
-
-
- /* Clean up. */
- krb5_free_keyblock(kcontext, kb);
-
- return 0;
-}
-
-static int
-server_get_flags(krb5_context kcontext, krb5_preauthtype pa_type)
-{
- return PA_HARDWARE | PA_REPLACES_KEY | PA_SUFFICIENT;
-}
-
-static krb5_preauthtype supported_client_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0};
-static krb5_preauthtype supported_server_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0};
-
-krb5_error_code
-clpreauth_wpse_initvt(krb5_context context, int maj_ver,
- int min_ver, krb5_plugin_vtable vtable);
-krb5_error_code
-kdcpreauth_wpse_initvt(krb5_context context, int maj_ver,
- int min_ver, krb5_plugin_vtable vtable);
-
-krb5_error_code
-clpreauth_wpse_initvt(krb5_context context, int maj_ver,
- int min_ver, krb5_plugin_vtable vtable)
-{
- krb5_clpreauth_vtable vt;
-
- if (maj_ver != 1)
- return KRB5_PLUGIN_VER_NOTSUPP;
- vt = (krb5_clpreauth_vtable)vtable;
- vt->name = "wpse";
- vt->pa_type_list = supported_client_pa_types;
- vt->init = client_init;
- vt->fini = client_fini;
- vt->flags = client_get_flags;
- vt->request_init = client_req_init;
- vt->request_fini = client_req_cleanup;
- vt->process = client_process;
- vt->gic_opts = client_gic_opt;
- return 0;
-}
-
-krb5_error_code
-kdcpreauth_wpse_initvt(krb5_context context, int maj_ver,
- int min_ver, krb5_plugin_vtable vtable)
-{
- krb5_kdcpreauth_vtable vt;
-
- if (maj_ver != -1)
- return KRB5_PLUGIN_VER_NOTSUPP;
- vt = (krb5_kdcpreauth_vtable)vtable;
- vt->name = "wpse";
- vt->pa_type_list = supported_server_pa_types;
- vt->flags = server_get_flags;
- vt->edata = server_get_edata;
- vt->verify = server_verify;
- vt->return_padata = server_return;
- vt->free_modreq = server_free_modreq;
- return 0;
-}
diff --git a/src/util/Makefile.in b/src/util/Makefile.in
index 5452a77..2611581 100644
--- a/src/util/Makefile.in
+++ b/src/util/Makefile.in
@@ -4,8 +4,7 @@ mydir=util
# configure scripts, so hide this.
##WIN32##!if 0
SUBDIRS=support $(MAYBE_ET_ at COM_ERR_VERSION@) $(MAYBE_SS_ at SS_VERSION@) \
- profile gss-kernel-lib collected-client-lib \
- $(MAYBE_VERTO_ at VERTO_VERSION@)
+ profile $(MAYBE_VERTO_ at VERTO_VERSION@)
##WIN32##!endif
WINSUBDIRS=windows support et profile wshelper
BUILDTOP=$(REL)..
diff --git a/src/util/collected-client-lib/Makefile.in b/src/util/collected-client-lib/Makefile.in
deleted file mode 100644
index 606149e..0000000
--- a/src/util/collected-client-lib/Makefile.in
+++ /dev/null
@@ -1,78 +0,0 @@
-# The collected client library is not built by default. To build it
-# manually, run "make all-libs".
-
-mydir=util$(S)collected-client-lib
-BUILDTOP=$(REL)..$(S)..
-RELDIR=../util/collected-client-lib
-
-##DOS##BUILDTOP = ..\..
-##DOS##LIBNAME=$(OUTPRE)k5sprt32.lib
-##DOS##WIN64LIBNAME=$(OUTPRE)k5sprt64.lib
-##DOS##XTRA=
-##DOS##OBJFILE=$(OUTPRE)k5sprt32.lst
-##DOS##WIN64OBJFILE=$(OUTPRE)k5sprt64.lst
-
-LIBBASE=collected
-LIBMAJOR=1
-LIBMINOR=0
-
-LIBINITFUNC=
-LIBFINIFUNC=
-
-STLIBOBJS=
-LIBOBJS=
-STOBJLISTS= \
- ../../lib/gssapi/OBJS.ST \
- ../../lib/gssapi/generic/OBJS.ST \
- ../../lib/gssapi/mechglue/OBJS.ST \
- ../../lib/gssapi/krb5/OBJS.ST \
- ../../lib/gssapi/spnego/OBJS.ST \
- ../../lib/krb5/OBJS.ST \
- ../../lib/krb5/error_tables/OBJS.ST \
- ../../lib/krb5/asn.1/OBJS.ST \
- ../../lib/krb5/ccache/OBJS.ST \
- ../../lib/krb5/keytab/OBJS.ST \
- ../../lib/krb5/krb/OBJS.ST \
- ../../lib/krb5/rcache/OBJS.ST \
- ../../lib/krb5/os/OBJS.ST \
- ../../lib/krb5/unicode/OBJS.ST \
- ../profile/OBJS.ST \
- ../../lib/crypto/krb/crc32/OBJS.ST \
- ../../lib/crypto/@CRYPTO_IMPL@/des/OBJS.ST \
- ../../lib/crypto/krb/dk/OBJS.ST \
- ../../lib/crypto/@CRYPTO_IMPL@/enc_provider/OBJS.ST \
- ../../lib/crypto/krb/hash_provider/OBJS.ST \
- ../../lib/crypto/krb/keyhash_provider/OBJS.ST \
- ../../lib/crypto/@CRYPTO_IMPL@/md4/OBJS.ST \
- ../../lib/crypto/@CRYPTO_IMPL@/md5/OBJS.ST \
- ../../lib/crypto/krb/old/OBJS.ST \
- ../../lib/crypto/krb/raw/OBJS.ST \
- ../../lib/crypto/@CRYPTO_IMPL@/sha1/OBJS.ST \
- ../../lib/crypto/@CRYPTO_IMPL@/arcfour/OBJS.ST \
- ../../lib/crypto/@CRYPTO_IMPL@/aes/OBJS.ST \
- ../../lib/crypto/@CRYPTO_IMPL@/camellia/OBJS.ST \
- ../../lib/crypto/krb/prng/OBJS.ST \
- ../../lib/crypto/krb/prng/@PRNG_ALG@/OBJS.ST \
- ../../lib/crypto/krb/OBJS.ST \
- ../../lib/crypto/@CRYPTO_IMPL@/OBJS.ST \
- ../../lib/crypto/OBJS.ST \
- ../et/OBJS.ST \
- ../support/OBJS.ST
-
-SRCS=
-
-SHLIB_EXPDEPS =
-
-LIBS_UTILS=-lresolv
-# Add -lm if dumping thread stats, for sqrt.
-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) $(LIBS_UTILS)
-
-DEPLIBS=
-
-clean-unix:: clean-libs
-
-#SHLIB_EXPORT_FILE=libcollected.exports
-
- at lib_frag@
-#@#libobj_frag@
-
diff --git a/src/util/collected-client-lib/deps b/src/util/collected-client-lib/deps
deleted file mode 100644
index 2feac3c..0000000
--- a/src/util/collected-client-lib/deps
+++ /dev/null
@@ -1 +0,0 @@
-# No dependencies here.
diff --git a/src/util/collected-client-lib/libcollected.exports b/src/util/collected-client-lib/libcollected.exports
deleted file mode 100644
index 6eb668d..0000000
--- a/src/util/collected-client-lib/libcollected.exports
+++ /dev/null
@@ -1,286 +0,0 @@
-error_message
-com_err
-com_err_va
-reset_com_err_hook
-set_com_err_hook
-add_error_table
-remove_error_table
-profile_init
-profile_init_path
-profile_is_writable
-profile_is_modified
-profile_flush
-profile_flush_to_file
-profile_flush_to_buffer
-profile_free_buffer
-profile_abandon
-profile_release
-profile_get_values
-profile_free_list
-profile_get_string
-profile_get_boolean
-profile_get_integer
-profile_get_relation_names
-profile_get_subsection_names
-profile_iterator_create
-profile_iterator_free
-profile_iterator
-profile_release_string
-profile_update_relation
-profile_clear_relation
-profile_rename_section
-profile_add_relation
-krb5_is_referral_realm
-krb5_c_encrypt
-krb5_c_decrypt
-krb5_c_encrypt_length
-krb5_c_block_size
-krb5_c_keylengths
-krb5_c_init_state
-krb5_c_free_state
-krb5_c_prf
-krb5_c_prf_length
-krb5_c_make_random_key
-krb5_c_random_to_key
-krb5_c_random_add_entropy
-krb5_c_random_make_octets
-krb5_c_random_os_entropy
-krb5_c_random_seed
-krb5_c_string_to_key
-krb5_c_string_to_key_with_params
-krb5_c_enctype_compare
-krb5_c_make_checksum
-krb5_c_verify_checksum
-krb5_c_checksum_length
-krb5_c_keyed_checksum_types
-krb5_c_valid_enctype
-krb5_c_valid_cksumtype
-krb5_c_is_coll_proof_cksum
-krb5_c_is_keyed_cksum
-krb5_cc_get_name
-krb5_cc_gen_new
-krb5_cc_initialize
-krb5_cc_destroy
-krb5_cc_close
-krb5_cc_store_cred
-krb5_cc_retrieve_cred
-krb5_cc_get_principal
-krb5_cc_start_seq_get
-krb5_cc_next_cred
-krb5_cc_end_seq_get
-krb5_cc_remove_cred
-krb5_cc_set_flags
-krb5_cc_get_flags
-krb5_cc_get_type
-krb5_cccol_cursor_new
-krb5_cccol_cursor_next
-krb5_cccol_cursor_free
-krb5_cc_new_unique
-krb5_init_context
-krb5_init_secure_context
-krb5_free_context
-krb5_copy_context
-krb5_is_thread_safe
-krb5_free_tgt_creds
-krb5_get_credentials
-krb5_get_credentials_validate
-krb5_get_credentials_renew
-krb5_mk_req
-krb5_mk_req_extended
-krb5_rd_rep
-krb5_rd_error
-krb5_rd_safe
-krb5_rd_priv
-krb5_parse_name
-krb5_unparse_name
-krb5_unparse_name_ext
-krb5_set_principal_realm
-krb5_address_search
-krb5_address_compare
-krb5_address_order
-krb5_realm_compare
-krb5_principal_compare
-krb5_init_keyblock
-krb5_copy_keyblock
-krb5_copy_keyblock_contents
-krb5_copy_creds
-krb5_copy_data
-krb5_copy_principal
-krb5_copy_addresses
-krb5_copy_ticket
-krb5_copy_authdata
-krb5_copy_authenticator
-krb5_copy_checksum
-krb5_build_principal_ext
-krb5_build_principal
-krb5_build_principal_va
-krb5_principal2salt
-krb5_cc_resolve
-krb5_cc_default_name
-krb5_cc_set_default_name
-krb5_cc_default
-krb5_cc_copy_creds
-krb5_free_principal
-krb5_free_authenticator
-krb5_free_addresses
-krb5_free_authdata
-krb5_free_ticket
-krb5_free_error
-krb5_free_creds
-krb5_free_cred_contents
-krb5_free_checksum
-krb5_free_checksum_contents
-krb5_free_keyblock
-krb5_free_keyblock_contents
-krb5_free_ap_rep_enc_part
-krb5_free_data
-krb5_free_data_contents
-krb5_free_unparsed_name
-krb5_free_cksumtypes
-krb5_us_timeofday
-krb5_timeofday
-krb5_os_localaddr
-krb5_get_default_realm
-krb5_set_default_realm
-krb5_free_default_realm
-krb5_sname_to_principal
-krb5_change_password
-krb5_set_password
-krb5_set_password_using_ccache
-krb5_chpw_message
-krb5_get_profile
-krb5_mk_safe
-krb5_mk_priv
-krb5_sendauth
-krb5_mk_ncred
-krb5_mk_1cred
-krb5_fwd_tgt_creds
-krb5_auth_con_init
-krb5_auth_con_free
-krb5_auth_con_setflags
-krb5_auth_con_getflags
-krb5_auth_con_set_checksum_func
-krb5_auth_con_get_checksum_func
-krb5_auth_con_setaddrs
-krb5_auth_con_getaddrs
-krb5_auth_con_setports
-krb5_auth_con_setuseruserkey
-krb5_auth_con_getkey
-krb5_auth_con_getsendsubkey
-krb5_auth_con_getrecvsubkey
-krb5_auth_con_setsendsubkey
-krb5_auth_con_setrecvsubkey
-krb5_auth_con_getlocalseqnumber
-krb5_auth_con_getremoteseqnumber
-krb5_auth_con_setrcache
-krb5_auth_con_getrcache
-krb5_auth_con_getauthenticator
-krb5_read_password
-krb5_aname_to_localname
-krb5_get_host_realm
-krb5_get_fallback_host_realm
-krb5_free_host_realm
-krb5_auth_con_genaddrs
-krb5_set_real_time
-krb5_get_time_offsets
-krb5_string_to_enctype
-krb5_string_to_salttype
-krb5_string_to_cksumtype
-krb5_string_to_timestamp
-krb5_string_to_deltat
-krb5_enctype_to_string
-krb5_salttype_to_string
-krb5_cksumtype_to_string
-krb5_timestamp_to_string
-krb5_timestamp_to_sfstring
-krb5_deltat_to_string
-krb5_get_init_creds_opt_alloc
-krb5_get_init_creds_opt_free
-krb5_get_init_creds_opt_init
-krb5_get_init_creds_opt_set_tkt_life
-krb5_get_init_creds_opt_set_renew_life
-krb5_get_init_creds_opt_set_forwardable
-krb5_get_init_creds_opt_set_proxiable
-krb5_get_init_creds_opt_set_etype_list
-krb5_get_init_creds_opt_set_address_list
-krb5_get_init_creds_opt_set_preauth_list
-krb5_get_init_creds_opt_set_salt
-krb5_get_init_creds_opt_set_change_password_prompt
-krb5_get_init_creds_opt_set_pa
-krb5_get_init_creds_password
-krb5_get_validated_creds
-krb5_get_renewed_creds
-krb5_decode_ticket
-krb5_appdefault_string
-krb5_appdefault_boolean
-krb5_get_prompt_types
-krb5_set_error_message
-krb5_vset_error_message
-krb5_get_error_message
-krb5_free_error_message
-krb5_clear_error_message
-gss_acquire_cred
-gss_release_cred
-gss_init_sec_context
-gss_process_context_token
-gss_delete_sec_context
-gss_context_time
-gss_sign
-gss_verify
-gss_seal
-gss_unseal
-gss_display_status
-gss_indicate_mechs
-gss_compare_name
-gss_display_name
-gss_import_name
-gss_release_name
-gss_release_buffer
-gss_release_oid_set
-gss_inquire_cred
-gss_add_cred
-gss_inquire_cred_by_mech
-gss_inquire_context
-gss_wrap_size_limit
-gss_release_oid
-gss_create_empty_oid_set
-gss_add_oid_set_member
-gss_test_oid_set_member
-gss_oid_to_str
-gss_str_to_oid
-gss_wrap
-gss_unwrap
-gss_get_mic
-gss_verify_mic
-gss_inquire_names_for_mech
-gss_inquire_mechs_for_name
-gss_canonicalize_name
-gss_export_name
-gss_duplicate_name
-GSS_C_NT_USER_NAME
-GSS_C_NT_MACHINE_UID_NAME
-GSS_C_NT_STRING_UID_NAME
-GSS_C_NT_HOSTBASED_SERVICE_X
-GSS_C_NT_HOSTBASED_SERVICE
-GSS_C_NT_ANONYMOUS
-GSS_C_NT_EXPORT_NAME
-gss_nt_user_name
-gss_nt_machine_uid_name
-gss_nt_string_uid_name
-gss_nt_service_name_v2
-gss_nt_service_name
-gss_nt_exported_name
-GSS_KRB5_NT_PRINCIPAL_NAME
-gss_mech_krb5
-gss_mech_krb5_old
-gss_mech_set_krb5
-gss_mech_set_krb5_both
-gss_mech_set_krb5_old
-gss_nt_krb5_name
-gss_nt_krb5_principal
-krb5_gss_oid_array
-gss_krb5_copy_ccache
-gss_krb5_ccache_name
-gss_krb5_set_allowable_enctypes
-gss_krb5_export_lucid_sec_context
-gss_krb5_free_lucid_sec_context
diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in
deleted file mode 100644
index 29a1556..0000000
--- a/src/util/gss-kernel-lib/Makefile.in
+++ /dev/null
@@ -1,229 +0,0 @@
-mydir=util/gss-kernel-lib
-BUILDTOP=$(REL)..$(S)..
-
-DEFINES=-DKRB5_KERNEL
-ALL_CFLAGS=$(WARN_CFLAGS) $(DEFS) $(DEFINES) -I. -Igssapi $(CPPFLAGS) $(CFLAGS)
-
-SHLIB_EXPDEPS = \
- $(TOPLIBD)/libk5crypto$(SHLIBEXT) \
- $(TOPLIBD)/libkrb5$(SHLIBEXT)
-SHLIB_EXPLIBS=-lgssrpc -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(LIBS)
-
-SRCS= \
- k5seal.c \
- k5sealiov.c \
- k5unseal.c \
- k5unsealiov.c \
- k5sealv3.c \
- k5sealv3iov.c \
- util_cksum.c \
- util_crypt.c \
- util_seqnum.c \
- util_seed.c \
- util_token.c \
- util_set.c \
- util_seqstate.c
-
-EXTRADEPSRCS= kernel_gss.c t_kgss_common.c t_kgss_user.c t_kgss_kernel.c
-
-OBJS= \
- kernel_gss.o \
- k5seal.o \
- k5sealiov.o \
- k5unseal.o \
- k5unsealiov.o \
- k5sealv3.o \
- k5sealv3iov.o \
- util_cksum.o \
- util_crypt.o \
- util_seqnum.o \
- util_seed.o \
- util_token.o \
- util_set.o \
- util_seqstate.o
-
-# COM_ERR_DEPS is COM_ERR_DEPS-k5 when we use the bundled com_err, and
-# empty otherwise. Normally COM_ERR_DEPS-k5 is from the central
-# include directory in the build tree, but here we only take headers
-# from the current directory, so we need to redefine it.
-COM_ERR_DEPS-k5 = com_err.h
-
-HEADERS= \
- gssapi/gssapi.h \
- gssapi/gssapi_krb5.h \
- gssapi/gssapi_alloc.h \
- gssapi/gssapi_ext.h \
- gssapi.h \
- gssapiP_krb5.h \
- gssapi_err_krb5.h \
- gssapiP_generic.h \
- gssapi_generic.h \
- gssapi_err_generic.h \
- k5-int.h \
- k5-int-pkinit.h \
- k5-thread.h \
- k5-platform.h \
- k5-buf.h \
- k5-trace.h \
- k5-err.h \
- k5-plugin.h \
- k5-gmt_mktime.h \
- krb5.h \
- osconf.h \
- autoconf.h \
- port-sockets.h \
- socket-utils.h \
- krb5/krb5.h \
- krb5/plugin.h \
- krb5/clpreauth_plugin.h \
- krb5/authdata_plugin.h \
- profile.h \
- $(COM_ERR_DEPS)
-
-check-pytests: t_kgss_user t_kgss_kernel
- $(RUNPYTEST) $(srcdir)/t_kgss.py $(PYTESTFLAGS)
-
-libkgss.a: $(OBJS)
- $(RM) $@
- $(AR) cq $@ $(OBJS)
- $(RANLIB) $@
-
-t_kgss_user: t_kgss_user.o t_kgss_common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o t_kgss_user t_kgss_user.o t_kgss_common.o $(GSS_LIBS) \
- $(KRB5_BASE_LIBS)
-
-t_kgss_kernel: libkgss.a t_kgss_kernel.o t_kgss_common.o $(K5CRYPTO_DEPLIB) \
- $(SUPPORT_DEPLIB)
- $(CC_LINK) -o $@ t_kgss_kernel.o t_kgss_common.o libkgss.a \
- $(K5CRYPTO_LIB) $(SUPPORT_LIB)
-
-depend: $(SRCS) $(HEADERS)
-
-clean:
- $(RM) $(SRCS) $(HEADERS) libkgss.a testlog OBJS.SH
- $(RM) -r gssapi krb5 testdir
- $(RM) t_kgss_user.o t_kgss_kernel.o t_kgss_common.o
- $(RM) t_kgss_user t_kgss_kernel
-
-GSS_KRB5=$(top_srcdir)/lib/gssapi/krb5
-GSS_KRB5_BUILD=$(BUILDTOP)/lib/gssapi/krb5
-GSS_GENERIC=$(top_srcdir)/lib/gssapi/generic
-GSS_GENERIC_BUILD=$(BUILDTOP)/lib/gssapi/generic
-INCLUDE=$(top_srcdir)/include
-INCLUDE_BUILD=$(BUILDTOP)/include
-
-# Rules to copy sources from their real homes in the source or build tree.
-# If we switch to requiring gnu make, we can use $(CP) $< $@ in these rules.
-k5seal.c: $(GSS_KRB5)/k5seal.c
- $(CP) $(GSS_KRB5)/k5seal.c $@
-k5sealiov.c: $(GSS_KRB5)/k5sealiov.c
- $(CP) $(GSS_KRB5)/k5sealiov.c $@
-k5unseal.c: $(GSS_KRB5)/k5unseal.c
- $(CP) $(GSS_KRB5)/k5unseal.c $@
-k5unsealiov.c: $(GSS_KRB5)/k5unsealiov.c
- $(CP) $(GSS_KRB5)/k5unsealiov.c $@
-k5sealv3.c: $(GSS_KRB5)/k5sealv3.c
- $(CP) $(GSS_KRB5)/k5sealv3.c $@
-k5sealv3iov.c: $(GSS_KRB5)/k5sealv3iov.c
- $(CP) $(GSS_KRB5)/k5sealv3iov.c $@
-util_cksum.c: $(GSS_KRB5)/util_cksum.c
- $(CP) $(GSS_KRB5)/util_cksum.c $@
-util_crypt.c: $(GSS_KRB5)/util_crypt.c
- $(CP) $(GSS_KRB5)/util_crypt.c $@
-util_seqnum.c: $(GSS_KRB5)/util_seqnum.c
- $(CP) $(GSS_KRB5)/util_seqnum.c $@
-util_seed.c: $(GSS_KRB5)/util_seed.c
- $(CP) $(GSS_KRB5)/util_seed.c $@
-util_token.c: $(GSS_GENERIC)/util_token.c
- $(CP) $(GSS_GENERIC)/util_token.c $@
-util_set.c: $(GSS_GENERIC)/util_set.c
- $(CP) $(GSS_GENERIC)/util_set.c $@
-util_seqstate.c: $(GSS_GENERIC)/util_seqstate.c
- $(CP) $(GSS_GENERIC)/util_seqstate.c $@
-
-# Rules to copy headers from their real homes in the source or build tree.
-gssapi.h: $(INCLUDE)/gssapi.h
- $(CP) $(INCLUDE)/gssapi.h $@
-gssapi/gssapi.h: gssapi $(GSS_GENERIC_BUILD)/gssapi.h
- $(CP) $(GSS_GENERIC_BUILD)/gssapi.h $@
-gssapi/gssapi_krb5.h: gssapi $(GSS_KRB5)/gssapi_krb5.h
- $(CP) $(GSS_KRB5)/gssapi_krb5.h $@
-gssapi/gssapi_alloc.h: gssapi $(GSS_GENERIC)/gssapi_alloc.h
- $(CP) $(GSS_GENERIC)/gssapi_alloc.h $@
-gssapi/gssapi_ext.h: gssapi $(GSS_GENERIC)/gssapi_ext.h
- $(CP) $(GSS_GENERIC)/gssapi_ext.h $@
-gssapiP_krb5.h: $(GSS_KRB5)/gssapiP_krb5.h
- $(CP) $(GSS_KRB5)/gssapiP_krb5.h $@
-gssapi_err_krb5.h: $(GSS_KRB5_BUILD)/gssapi_err_krb5.h
- $(CP) $(GSS_KRB5_BUILD)/gssapi_err_krb5.h $@
-gssapiP_generic.h: $(GSS_GENERIC)/gssapiP_generic.h
- $(CP) $(GSS_GENERIC)/gssapiP_generic.h $@
-gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h
- $(CP) $(GSS_GENERIC)/gssapi_generic.h $@
-gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
- $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
-k5-int.h: $(INCLUDE)/k5-int.h
- $(CP) $(INCLUDE)/k5-int.h $@
-k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
- $(CP) $(INCLUDE)/k5-int-pkinit.h $@
-k5-thread.h: $(INCLUDE)/k5-thread.h
- $(CP) $(INCLUDE)/k5-thread.h $@
-k5-platform.h: $(INCLUDE)/k5-platform.h
- $(CP) $(INCLUDE)/k5-platform.h $@
-k5-buf.h: $(INCLUDE)/k5-buf.h
- $(CP) $(INCLUDE)/k5-buf.h $@
-k5-trace.h: $(INCLUDE)/k5-trace.h
- $(CP) $(INCLUDE)/k5-trace.h $@
-k5-err.h: $(INCLUDE)/k5-err.h
- $(CP) $(INCLUDE)/k5-err.h $@
-k5-plugin.h: $(INCLUDE)/k5-plugin.h
- $(CP) $(INCLUDE)/k5-plugin.h $@
-k5-gmt_mktime.h: $(INCLUDE)/k5-gmt_mktime.h
- $(CP) $(INCLUDE)/k5-gmt_mktime.h $@
-krb5.h: $(INCLUDE)/krb5.h
- $(CP) $(INCLUDE)/krb5.h $@
-osconf.h: $(INCLUDE_BUILD)/osconf.h
- $(CP) $(INCLUDE_BUILD)/osconf.h $@
-autoconf.h: $(INCLUDE_BUILD)/autoconf.h
- $(CP) $(INCLUDE_BUILD)/autoconf.h $@
-port-sockets.h: $(INCLUDE)/port-sockets.h
- $(CP) $(INCLUDE)/port-sockets.h $@
-socket-utils.h: $(INCLUDE)/socket-utils.h
- $(CP) $(INCLUDE)/socket-utils.h $@
-krb5/krb5.h: krb5 $(INCLUDE_BUILD)/krb5/krb5.h
- $(CP) $(INCLUDE_BUILD)/krb5/krb5.h $@
-krb5/plugin.h: krb5 $(INCLUDE)/krb5/plugin.h
- $(CP) $(INCLUDE)/krb5/plugin.h $@
-krb5/clpreauth_plugin.h: krb5 $(INCLUDE)/krb5/clpreauth_plugin.h
- $(CP) $(INCLUDE)/krb5/clpreauth_plugin.h $@
-krb5/authdata_plugin.h: krb5 $(INCLUDE)/krb5/authdata_plugin.h
- $(CP) $(INCLUDE)/krb5/authdata_plugin.h $@
-profile.h: $(INCLUDE_BUILD)/profile.h
- $(CP) $(INCLUDE_BUILD)/profile.h $@
-com_err.h: $(INCLUDE_BUILD)/com_err.h
- $(CP) $(INCLUDE_BUILD)/com_err.h $@
-
-# Rules to generate dependency headers if they don't already exist,
-# for "make depend" from an unbuilt directory.
-$(GSS_GENERIC_BUILD)/gssapi.h:
- (cd $(GSS_GENERIC_BUILD) && $(MAKE) gssapi.h)
-$(GSS_GENERIC_BUILD)/gssapi_err_generic.h:
- (cd $(GSS_GENERIC_BUILD) && $(MAKE) gssapi_err_generic.h)
-$(GSS_KRB5_BUILD)/gssapi_err_krb5.h:
- (cd $(GSS_KRB5_BUILD) && $(MAKE) gssapi_err_krb5.h)
-$(INCLUDE_BUILD)/osconf.h:
- (cd $(INCLUDE_BUILD) && $(MAKE) osconf.h)
-$(INCLUDE_BUILD)/krb5/krb5.h:
- (cd $(INCLUDE_BUILD) && $(MAKE) krb5/krb5.h)
-
-gssapi:
- test -d gssapi || mkdir gssapi
-krb5:
- test -d krb5 || mkdir krb5
-
-LIBBASE=kgss
-LIBMAJOR=1
-LIBMINOR=0
-
-LIBINITFUNC=
-LIBFINIFUNC=
diff --git a/src/util/gss-kernel-lib/README b/src/util/gss-kernel-lib/README
deleted file mode 100644
index b2adf2b..0000000
--- a/src/util/gss-kernel-lib/README
+++ /dev/null
@@ -1,121 +0,0 @@
-This directory is intended to help integrators of MIT krb5 code into
-the kernel by:
-
-1. Identifying the GSSAPI source files necessary for wrapping and
-unwrapping messages.
-
-2. Providing a test framework to ensuring that these source files do
-not grow addtional dependencies without alerting the developers.
-
-3. Providing code for importing a Lucid sec context.
-
-Nothing is built in this directory during "make all". The following
-happens durng "make check":
-
-1. Sources and headers are copied here from other parts of the tree.
-
-2. Sources are compiled and built, together with some additional code
-in kernel_gss.c, into a static library named libkgss.a. Sources are
-built with -DKRB5_KERNEL, which is used (very sparingly) to eliminate
-dependencies such as the code to save error messages.
-
-3. A test program is built in two parts: t_kgss_user is built against
-the regular ("user-space") GSSAPI libraries, and t_kgss_kernel is
-built against libkgss.a.
-
-4. A Python test executes t_kgss_user, which runs t_kgss_kernel in a
-child process and exercises the functionality of libkgss.a.
-
-Limitations
------------
-
-Lucid contexts are used to transport the acceptor context from
-user-space to kernel-space, because the code overhead of normal
-export/import is large (it requires the libkrb5 serialization
-framework). Kernel integrators should be aware of two issues with
-Lucid contexts:
-
-1. They are not a flat data blob. It is up to the user/kernelspace
-interface to define a format for transporting the lucid context
-structure.
-
-2. Lucid contexts do not convey the do-replay or do-sequence flags
-from the original context. RPC security does not need replay or
-sequence detection, so the krb5_gss_import_lucid_sec_context
-implementation in kernel_gss.c simply assumes the flags should be
-turned off. If the kernel GSS code is being used for a protocol which
-does need replay or sequence detection, those flags should be
-determined separately and set in the krb5 GSS context.
-
-Crypto library
---------------
-
-libkgss.a does not include crypto code. Almost all of the crypto
-library is required for a kernel integration, so it would not be
-productive to duplicate almost all of the crypto build infrastructure
-to demonstrate the kernel subset.
-
-A kernel integrator will almost certainly want to use the kernel's
-native PRNG instead of the default lib/crypto/krb/prng_fortuna.c, and
-may also wish to write a back end module implementing standard crypto
-primitives in terms of the kernel's crypto primitives, instead of
-using lib/crypto/builtin.
-
-A few pieces of crypto functionality can be omitted from a kernel
-subset. String-to-key is not needed, and consequently neither is
-PBKDF2. PRF is not needed, unless the integrator is adding
-krb5_gss_pseudo_random to the subset. The enctype utility APIs are
-not needed. DES and DES3 keys are only used via raw enctypes, so the
-functions in enc_old.c won't be reached. Because of the way the
-crypto library uses vtables internally, removing the unreached code is
-not simply a matter of selecting source files, and it may be simpler
-to just leave the small amount of unreached code in.
-
-A complete inventory of crypto APIs used by the kernel subset can be
-made with:
-
- nm libkgss.a | awk '/U .*_[ck]_/ {print $2}' | sort -u
-
-Currently, that list is:
-
- krb5_c_block_size
- krb5_c_checksum_length
- krb5_c_crypto_length
- krb5_c_make_checksum
- krb5_c_padding_length
- krb5_c_random_make_octets
- krb5int_c_free_keyblock
- krb5int_c_mandatory_cksumtype
- krb5_k_create_key
- krb5_k_decrypt
- krb5_k_decrypt_iov
- krb5_k_encrypt
- krb5_k_encrypt_iov
- krb5_k_free_key
- krb5_k_key_keyblock
- krb5_k_make_checksum
- krb5_k_make_checksum_iov
- krb5_k_verify_checksum
- krb5_k_verify_checksum_iov
-
-Debugging test failures
------------------------
-
-If an error occurs in t_kgss_user, it can be debugged in the same way
-as any program running under the Python test framework. Start by
-re-running the Python script with the -v flag, then add a --debug
-option for the failing command, then set breakpoints or step through
-the process execution as necessary.
-
-If an error occurs in t_kgss_kernel, it is harder to debug, since
-t_kgss_user runs it as a subprocess. On Linux with gdb, it is
-possible to interactively debug t_kgss_kernel by starting an
-interactive gdb session for t_kgss_user and doing:
-
- set follow-fork-mode child
- break main
- run
- cont
-
-You should get a breakpoint in the main() of t_kgss_kernel and should
-be able to set breakpoints from there.
diff --git a/src/util/gss-kernel-lib/deps b/src/util/gss-kernel-lib/deps
deleted file mode 100644
index a263ba2..0000000
--- a/src/util/gss-kernel-lib/deps
+++ /dev/null
@@ -1,126 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)k5seal.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5seal.c \
- krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \
- osconf.h port-sockets.h profile.h socket-utils.h
-$(OUTPRE)k5sealiov.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5sealiov.c \
- krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \
- osconf.h port-sockets.h profile.h socket-utils.h
-$(OUTPRE)k5unseal.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5unseal.c \
- krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \
- osconf.h port-sockets.h profile.h socket-utils.h
-$(OUTPRE)k5unsealiov.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5unsealiov.c \
- krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \
- osconf.h port-sockets.h profile.h socket-utils.h
-$(OUTPRE)k5sealv3.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5sealv3.c \
- krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \
- osconf.h port-sockets.h profile.h socket-utils.h
-$(OUTPRE)k5sealv3iov.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5sealv3iov.c \
- krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \
- osconf.h port-sockets.h profile.h socket-utils.h
-$(OUTPRE)util_cksum.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \
- krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \
- port-sockets.h profile.h socket-utils.h util_cksum.c
-$(OUTPRE)util_crypt.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \
- krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \
- port-sockets.h profile.h socket-utils.h util_crypt.c
-$(OUTPRE)util_seqnum.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \
- krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \
- port-sockets.h profile.h socket-utils.h util_seqnum.c
-$(OUTPRE)util_seed.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \
- krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \
- port-sockets.h profile.h socket-utils.h util_seed.c
-$(OUTPRE)util_token.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- k5-buf.h k5-platform.h k5-thread.h util_token.c
-$(OUTPRE)util_set.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- k5-buf.h k5-platform.h k5-thread.h util_set.c
-$(OUTPRE)util_seqstate.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \
- k5-buf.h k5-platform.h k5-thread.h util_seqstate.c
-$(OUTPRE)kernel_gss.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h kernel_gss.c \
- kernel_gss.h krb5.h krb5/authdata_plugin.h krb5/krb5.h \
- krb5/plugin.h osconf.h port-sockets.h profile.h socket-utils.h
-$(OUTPRE)t_kgss_common.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_ext.h gssapi/gssapi_krb5.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \
- krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \
- port-sockets.h profile.h socket-utils.h t_kgss_common.c \
- t_kgss_common.h
-$(OUTPRE)t_kgss_user.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_ext.h gssapi/gssapi_krb5.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \
- krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \
- port-sockets.h profile.h socket-utils.h t_kgss_common.h \
- t_kgss_user.c
-$(OUTPRE)t_kgss_kernel.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \
- gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \
- gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \
- gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \
- k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \
- k5-platform.h k5-plugin.h k5-thread.h k5-trace.h kernel_gss.h \
- krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \
- osconf.h port-sockets.h profile.h socket-utils.h t_kgss_common.h \
- t_kgss_kernel.c
diff --git a/src/util/gss-kernel-lib/kernel_gss.c b/src/util/gss-kernel-lib/kernel_gss.c
deleted file mode 100644
index 2895d05..0000000
--- a/src/util/gss-kernel-lib/kernel_gss.c
+++ /dev/null
@@ -1,213 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* util/gss-kernel-lib/gss_kernel.c - Extra pieces for GSS kernel library */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * This file includes a few symbols cherry-picked from larger files, as well as
- * a function to import a lucid sec context.
- */
-
-#include "gssapiP_krb5.h"
-#include "kernel_gss.h"
-
-/* Normally defined in lib/gssapi/krb5/gssapi_krb5.c. */
-static const gss_OID_desc oid_array[] = {
- {GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID},
- {GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID}
-};
-#define oids ((gss_OID)oid_array)
-const gss_OID gss_mech_krb5 = &oids[0];
-const gss_OID gss_mech_krb5_old = &oids[1];
-
-/* Create a key from key data in a lucid context. */
-static krb5_error_code
-lkey_to_key(const gss_krb5_lucid_key_t *lkey, krb5_key *key_out)
-{
- krb5_keyblock kb;
-
- kb.enctype = lkey->type;
- kb.length = lkey->length;
- kb.contents = lkey->data;
- return krb5_k_create_key(NULL, &kb, key_out);
-}
-
-/* Get the RFC3961 mandator cksumtype for key. */
-static inline krb5_error_code
-get_cksumtype(krb5_key key, krb5_cksumtype *out)
-{
- return krb5int_c_mandatory_cksumtype(NULL, key->keyblock.enctype, out);
-}
-
-/* Import a lucid context structure, creating a krb5 GSS context structure
- * sufficient for use by by wrap/unwrap/get_mic/verify_mic operations. */
-static krb5_error_code
-import_lucid_sec_context_v1(const gss_krb5_lucid_context_v1_t *lctx,
- gss_ctx_id_t *context_handle_out)
-{
- krb5_error_code ret;
- krb5_gss_ctx_id_t gctx;
- OM_uint32 tmpmin;
- krb5_key key = NULL;
-
- gctx = k5alloc(sizeof(*gctx), &ret);
- if (gctx == NULL)
- return ret;
-
- gctx->initiate = lctx->initiate;
- gctx->krb_times.endtime = lctx->endtime;
- gctx->seq_send = lctx->send_seq;
- gctx->seq_recv = lctx->recv_seq;
- gctx->proto = lctx->protocol;
- if (lctx->protocol == 0) {
- /* Ignore sign_alg and seal_alg since they follow from the enctype. */
- ret = lkey_to_key(&lctx->rfc1964_kd.ctx_key, &key);
- if (ret)
- goto cleanup;
- /* For raw enctypes, choose an enctype expected by kg_setup_keys. */
- if (key->keyblock.enctype == ENCTYPE_DES_CBC_RAW)
- key->keyblock.enctype = ENCTYPE_DES_CBC_CRC;
- else if (key->keyblock.enctype == ENCTYPE_DES3_CBC_RAW)
- key->keyblock.enctype = ENCTYPE_DES3_CBC_SHA1;
- ret = kg_setup_keys(NULL, gctx, key, &gctx->cksumtype);
- if (ret)
- goto cleanup;
- if (gctx->proto != 0) { /* ctx_key did not have a pre-CFX enctype. */
- ret = EINVAL;
- goto cleanup;
- }
- } else if (lctx->protocol == 1) {
- ret = lkey_to_key(&lctx->cfx_kd.ctx_key, &gctx->subkey);
- if (ret)
- goto cleanup;
- ret = get_cksumtype(gctx->subkey, &gctx->cksumtype);
- if (ret)
- goto cleanup;
- if (lctx->cfx_kd.have_acceptor_subkey) {
- gctx->have_acceptor_subkey = 1;
- ret = lkey_to_key(&lctx->cfx_kd.acceptor_subkey,
- &gctx->acceptor_subkey);
- if (ret)
- goto cleanup;
- ret = get_cksumtype(gctx->acceptor_subkey,
- &gctx->acceptor_subkey_cksumtype);
- if (ret)
- goto cleanup;
- }
- }
-
- gctx->seed_init = 0;
- gctx->established = 1;
- gctx->mech_used = (gss_OID_desc *)gss_mech_krb5;
-
- /*
- * The lucid context doesn't convey the gss_flags which indicate whether
- * the protocol needs replay or sequence protection. Assume we don't
- * (because RPCSEC_GSS doesn't).
- */
- g_seqstate_init(&gctx->seqstate, gctx->seq_recv, 0, 0, gctx->proto);
-
- *context_handle_out = (gss_ctx_id_t)gctx;
- gctx = NULL;
-
-cleanup:
- krb5_k_free_key(NULL, key);
- krb5_gss_delete_sec_context(&tmpmin, (gss_ctx_id_t *)&gctx, NULL);
- return ret;
-}
-
-OM_uint32
-krb5_gss_import_lucid_sec_context(OM_uint32 *minor_status, void *lctx,
- gss_ctx_id_t *context_handle_out)
-{
- OM_uint32 vers = ((gss_krb5_lucid_context_version_t *)lctx)->version;
- krb5_error_code ret;
-
- if (vers == 1)
- ret = import_lucid_sec_context_v1((gss_krb5_lucid_context_v1_t *)lctx,
- context_handle_out);
- else
- ret = KG_LUCID_VERSION;
- *minor_status = ret;
- return (ret == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
-}
-
-/*
- * Normally defined in lib/gssapi/krb5/delete_sec_context.c; this version
- * is tailored for imported lucid contexts and has fewer dependencies.
- * Does not handle output tokens.
- */
-OM_uint32
-krb5_gss_delete_sec_context(OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- gss_buffer_t output_token)
-{
- krb5_gss_ctx_id_t ctx;
-
- if (output_token) {
- *minor_status = EINVAL;
- return GSS_S_FAILURE;
- }
-
- *minor_status = 0;
- if (*context_handle == GSS_C_NO_CONTEXT)
- return GSS_S_COMPLETE;
-
- ctx = (krb5_gss_ctx_id_t)*context_handle;
- g_seqstate_free(ctx->seqstate);
- krb5_k_free_key(NULL, ctx->enc);
- krb5_k_free_key(NULL, ctx->seq);
- krb5_k_free_key(NULL, ctx->subkey);
- krb5_k_free_key(NULL, ctx->acceptor_subkey);
- memset(ctx, 0, sizeof(*ctx));
- free(ctx);
- *context_handle = GSS_C_NO_CONTEXT;
- return GSS_S_COMPLETE;
-}
-
-/* Normally defined in lib/krb5/krb/kfree.c. */
-
-void KRB5_CALLCONV
-krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val)
-{
- if (val == NULL)
- return;
- free(val->contents);
- val->contents = NULL;
-}
-
-void KRB5_CALLCONV
-krb5_free_keyblock(krb5_context context, register krb5_keyblock *val)
-{
- krb5int_c_free_keyblock (context, val);
-}
-
-void KRB5_CALLCONV
-krb5_free_data(krb5_context context, krb5_data *val)
-{
- if (val == NULL)
- return;
- free(val->data);
- free(val);
-}
diff --git a/src/util/gss-kernel-lib/kernel_gss.h b/src/util/gss-kernel-lib/kernel_gss.h
deleted file mode 100644
index b99f461..0000000
--- a/src/util/gss-kernel-lib/kernel_gss.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* util/gss-kernel-lib/kernel_gss.h - Declarations for kernel GSS library */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#ifndef KERNEL_GSS_H
-#define KERNEL_GSS_H
-
-#include <gssapi/gssapi_krb5.h>
-
-OM_uint32
-krb5_gss_import_lucid_sec_context(OM_uint32 *minor_status, void *lctx,
- gss_ctx_id_t *context_handle_out);
-
-#endif /* KERNEL_GSS_H */
diff --git a/src/util/gss-kernel-lib/t_kgss.c b/src/util/gss-kernel-lib/t_kgss.c
deleted file mode 100644
index 623be12..0000000
--- a/src/util/gss-kernel-lib/t_kgss.c
+++ /dev/null
@@ -1,38 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* util/gss-kernel-lib/t_kgss.c - Kernel GSS library test program */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-int
-main(int argc, char **argv)
-{
- krb5_gss_wrap_iov();
- krb5_gss_wrap_iov_length();
- krb5_gss_wrap();
- krb5_gss_unwrap();
- krb5_gss_unwrap_iov();
- krb5_gss_get_mic();
- krb5_gss_verify_mic();
- return 0;
-}
diff --git a/src/util/gss-kernel-lib/t_kgss.py b/src/util/gss-kernel-lib/t_kgss.py
deleted file mode 100755
index 18a11ba..0000000
--- a/src/util/gss-kernel-lib/t_kgss.py
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) 2011 by the Massachusetts Institute of Technology.
-# All rights reserved.
-#
-# Export of this software from the United States of America may
-# require a specific license from the United States Government.
-# It is the responsibility of any person or organization contemplating
-# export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission. Furthermore if you modify this software you must label
-# your software as modified software and not distribute it in such a
-# fashion that it might be confused with the original M.I.T. software.
-# M.I.T. makes no representations about the suitability of
-# this software for any purpose. It is provided "as is" without express
-# or implied warranty.
-
-from k5test import *
-
-# Test krb5 negotiation under SPNEGO for all enctype configurations.
-for realm in multipass_realms():
- realm.run(['./t_kgss_user', realm.host_princ])
-
-success('Kernel GSSAPI subset tests')
diff --git a/src/util/gss-kernel-lib/t_kgss_common.c b/src/util/gss-kernel-lib/t_kgss_common.c
deleted file mode 100644
index 49123c6..0000000
--- a/src/util/gss-kernel-lib/t_kgss_common.c
+++ /dev/null
@@ -1,106 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* util/gss-kernel-lib/t_kgss_common.c - Common functions for tests */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-int.h"
-#include <unistd.h>
-#include <gssapi/gssapi_krb5.h>
-#include "t_kgss_common.h"
-
-/* Write len bytes of data to fd, aborting on failure. */
-void
-rewrite(int fd, const void *data, size_t len)
-{
- ssize_t r;
-
- while (len > 0) {
- r = write(fd, data, len);
- if (r == -1 && errno == EINTR)
- continue;
- assert(r > 0);
- data = (char *)data +r;
- len -= r;
- }
-}
-
-/* Read len bytes into buf from fd, aborting on failure. */
-void
-reread(int fd, void *buf, size_t len)
-{
- ssize_t r;
-
- while (len > 0) {
- r = read(fd, buf, len);
- if (r == -1 && errno == EINTR)
- continue;
- assert(r > 0);
- buf = (char *)buf + r;
- len -= r;
- }
-}
-
-/* Send a data packet to fd using a machine-dependent length/value encoding. */
-void
-send_data(int fd, const void *data, size_t len)
-{
- rewrite(fd, &len, sizeof(len));
- rewrite(fd, data, len);
-}
-
-/* Read a packet from fd into an allocated buffer. */
-void
-read_data(int fd, void **data_out, size_t *len_out)
-{
- size_t len;
- void *data;
-
- reread(fd, &len, sizeof(len));
- data = malloc(len);
- assert(data != NULL);
- reread(fd, data, len);
- *data_out = data;
- *len_out = len;
-}
-
-/*
- * Acknowledgements are used to make the parent and child processes operate in
- * lock-step. That way, if the child fails, the parent isn't several steps
- * ahead before it finds out.
- */
-
-void
-send_ack(int fd)
-{
- rewrite(fd, "ack", 3);
-}
-
-void
-read_ack(int fd)
-{
- char buf[3];
-
- reread(fd, buf, 3);
- assert(memcmp(buf, "ack", 3) == 0);
-}
diff --git a/src/util/gss-kernel-lib/t_kgss_common.h b/src/util/gss-kernel-lib/t_kgss_common.h
deleted file mode 100644
index edb3888..0000000
--- a/src/util/gss-kernel-lib/t_kgss_common.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* util/gss-kernel-lib/t_kgss_common.h - Common declarations for tests */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-void rewrite(int fd, const void *data, size_t len);
-void reread(int fd, void *buf, size_t len);
-void send_data(int fd, const void *data, size_t len);
-void read_data(int fd, void **data_out, size_t *len_out);
-void send_ack(int fd);
-void read_ack(int fd);
diff --git a/src/util/gss-kernel-lib/t_kgss_kernel.c b/src/util/gss-kernel-lib/t_kgss_kernel.c
deleted file mode 100644
index bc961eb..0000000
--- a/src/util/gss-kernel-lib/t_kgss_kernel.c
+++ /dev/null
@@ -1,292 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* util/gss-kernel-lib/t_kgss_kernel.c - Kernel portion of test program */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * This program links against libkgss.a and is run as a child process of
- * t_kgss_user. It receives an exported acceptor context from its parent and
- * then exchanges wrap, MIC, and IOV tokens with the parent.
- */
-
-#include "k5-int.h"
-#include <unistd.h>
-#include "gssapi_krb5.h"
-#include "gssapiP_krb5.h"
-#include "kernel_gss.h"
-#include "t_kgss_common.h"
-
-/* If major represents an error, display an error message and exit. */
-static void
-check(OM_uint32 major, OM_uint32 minor, const char *fn)
-{
- if (!GSS_ERROR(major))
- return;
- fprintf(stderr, "t_kgss_kernel: %s: major %u, minor %u\n", fn, major,
- minor);
- /* libkgss doesn't have gss_display_status. */
- exit(1);
-}
-
-#define READ(p, f) (memcpy(&f, p, sizeof(f)), p += sizeof(f))
-
-/* Read fields from p into lkey and return the updated pointer. */
-static const unsigned char *
-read_lucid_key(const unsigned char *p, gss_krb5_lucid_key_t *lkey)
-{
- READ(p, lkey->type);
- READ(p, lkey->length);
- lkey->data = malloc(lkey->length);
- assert(lkey->data != NULL);
- memcpy(lkey->data, p, lkey->length);
- return p + lkey->length;
-}
-
-/* Read a data packet from stdin, unmarshal it into a lucid context, and import
- * the lucid context into a GSS-krb5 acceptor context. */
-static void
-read_lucid_context(gss_ctx_id_t *ctx_out)
-{
- void *data;
- size_t len;
- const unsigned char *p;
- gss_krb5_lucid_context_v1_t lctx;
- OM_uint32 major, minor;
-
- /* No length checking; totally unsafe outside of this test program. */
- read_data(STDIN_FILENO, &data, &len);
- p = data;
- READ(p, lctx.version);
- READ(p, lctx.initiate);
- READ(p, lctx.endtime);
- READ(p, lctx.send_seq);
- READ(p, lctx.recv_seq);
- READ(p, lctx.protocol);
- if (lctx.protocol == 0) {
- READ(p, lctx.rfc1964_kd.sign_alg);
- READ(p, lctx.rfc1964_kd.seal_alg);
- p = read_lucid_key(p, &lctx.rfc1964_kd.ctx_key);
- } else if (lctx.protocol == 1) {
- READ(p, lctx.cfx_kd.have_acceptor_subkey);
- p = read_lucid_key(p, &lctx.cfx_kd.ctx_key);
- if (lctx.cfx_kd.have_acceptor_subkey)
- p = read_lucid_key(p, &lctx.cfx_kd.acceptor_subkey);
- } else
- abort();
-
- major = krb5_gss_import_lucid_sec_context(&minor, &lctx, ctx_out);
- check(major, minor, "krb5_gss_import_lucid_sec_context");
-}
-
-/* Read a wrap token from stdin and verify that it says "userwrap". */
-static void
-read_wrap_token(gss_ctx_id_t ctx)
-{
- OM_uint32 major, minor;
- gss_buffer_desc wrapped, buf;
-
- read_data(STDIN_FILENO, &wrapped.value, &wrapped.length);
- major = krb5_gss_unwrap(&minor, ctx, &wrapped, &buf, NULL, NULL);
- check(major, minor, "krb5_gss_unwrap");
- assert(buf.length == 8 && memcmp(buf.value, "userwrap", 8) == 0);
- gssalloc_free(buf.value);
- free(wrapped.value);
-}
-
-/* Read a MIC token from stdin and verify that it is for "usermic". */
-static void
-read_mic_token(gss_ctx_id_t ctx)
-{
- OM_uint32 major, minor;
- gss_buffer_desc mic, buf;
-
- read_data(STDIN_FILENO, &mic.value, &mic.length);
- buf.value = "usermic";
- buf.length = 7;
- major = krb5_gss_verify_mic(&minor, ctx, &buf, &mic, NULL);
- check(major, minor, "krb5_gss_verify_mic");
- free(mic.value);
-}
-
-/* Read an IOV token from stdin and verify that it is for "userwrapmic" with
- * only the "wrap" part wrapped. */
-static void
-read_iov_token(gss_ctx_id_t ctx)
-{
- OM_uint32 major, minor;
- gss_iov_buffer_desc iov[6];
-
- /* Read in buffers and lay out the IOVs. */
- iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
- read_data(STDIN_FILENO, &iov[0].buffer.value, &iov[0].buffer.length);
- iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[1].buffer.value = "user";
- iov[1].buffer.length = 4;
- iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
- read_data(STDIN_FILENO, &iov[2].buffer.value, &iov[2].buffer.length);
- iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[3].buffer.value = "mic";
- iov[3].buffer.length = 3;
- iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING;
- read_data(STDIN_FILENO, &iov[4].buffer.value, &iov[4].buffer.length);
- iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER;
- read_data(STDIN_FILENO, &iov[5].buffer.value, &iov[5].buffer.length);
-
- /* Unwrap and check the data contents. */
- major = krb5_gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 6);
- check(major, minor, "gss_unwrap_iov");
- assert(iov[2].buffer.length == 4);
- assert(memcmp(iov[2].buffer.value, "wrap", 4) == 0);
-
- free(iov[0].buffer.value);
- free(iov[2].buffer.value);
- free(iov[4].buffer.value);
- free(iov[5].buffer.value);
-}
-
-/* Create a wrap token for the text "kernelwrap" and send it to stdout. */
-static void
-send_wrap_token(gss_ctx_id_t ctx)
-{
- OM_uint32 major, minor;
- gss_buffer_desc buf, wrapped;
-
- buf.value = "kernelwrap";
- buf.length = 10;
- major = krb5_gss_wrap(&minor, ctx, 1, GSS_C_QOP_DEFAULT, &buf, NULL,
- &wrapped);
- check(major, minor, "krb5_gss_wrap");
- send_data(STDOUT_FILENO, wrapped.value, wrapped.length);
- gssalloc_free(wrapped.value);
-}
-
-/* Create a wrap token for the text "kernelmic" and send it to stdout. */
-static void
-send_mic_token(gss_ctx_id_t ctx)
-{
- OM_uint32 major, minor;
- gss_buffer_desc buf, mic;
-
- buf.value = "kernelmic";
- buf.length = 9;
- major = krb5_gss_get_mic(&minor, ctx, GSS_C_QOP_DEFAULT, &buf, &mic);
- check(major, minor, "krb5_gss_get_mic");
- send_data(STDOUT_FILENO, mic.value, mic.length);
- gssalloc_free(mic.value);
-}
-
-/* Create an IOV token for "kernelwrapmic", wrapping only the "wrap" part, and
- * send the header/data/padding/trailer buffers to stdout. */
-static void
-send_iov_token(gss_ctx_id_t ctx)
-{
- OM_uint32 major, minor;
- gss_iov_buffer_desc iov[6];
- char *buf, *p;
-
- /* Lay out skeleton IOVs and compute header, padding, trailer lengths. */
- iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
- iov[0].buffer.value = NULL;
- iov[0].buffer.length = 0;
- iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[1].buffer.value = "kernel";
- iov[1].buffer.length = 6;
- iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
- iov[2].buffer.value = "wrap";
- iov[2].buffer.length = 4;
- iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[3].buffer.value = "mic";
- iov[3].buffer.length = 3;
- iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING;
- iov[4].buffer.value = NULL;
- iov[4].buffer.length = 0;
- iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER;
- iov[5].buffer.value = NULL;
- iov[5].buffer.length = 0;
- major = krb5_gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL,
- iov, 6);
- check(major, minor, "krb5_gss_wrap_iov_length");
-
- /* Create a payload and set header/data/padding/trailer IOV pointers. */
- buf = malloc(iov[0].buffer.length + iov[2].buffer.length +
- iov[4].buffer.length + iov[5].buffer.length);
- assert(buf != NULL);
- p = buf;
- iov[0].buffer.value = p;
- p += iov[0].buffer.length;
- memcpy(p, "wrap", 4);
- iov[2].buffer.value = p;
- p += iov[2].buffer.length;
- iov[4].buffer.value = p;
- p += iov[4].buffer.length;
- iov[5].buffer.value = p;
-
- /* Wrap the payload and send it to fd in chunks. */
- major = krb5_gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 6);
- check(major, minor, "gss_wrap_iov");
- send_data(STDOUT_FILENO, iov[0].buffer.value, iov[0].buffer.length);
- send_data(STDOUT_FILENO, iov[2].buffer.value, iov[2].buffer.length);
- send_data(STDOUT_FILENO, iov[4].buffer.value, iov[4].buffer.length);
- send_data(STDOUT_FILENO, iov[5].buffer.value, iov[5].buffer.length);
- free(buf);
-}
-
-/* Delete the krb5 security context ctx. */
-static void
-cleanup_context(gss_ctx_id_t ctx)
-{
- OM_uint32 major, minor;
-
- major = krb5_gss_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
- check(major, minor, "gss_delete_sec_context");
-}
-
-int
-main(int argc, char **argv)
-{
- gss_ctx_id_t acceptor;
- int dummy;
-
- /* Make the PRNG work since we're not using krb5_init_context. */
- krb5_c_random_os_entropy(NULL, 0, &dummy);
-
- read_lucid_context(&acceptor);
- send_ack(STDOUT_FILENO);
- read_wrap_token(acceptor);
- send_ack(STDOUT_FILENO);
- read_mic_token(acceptor);
- send_ack(STDOUT_FILENO);
- read_iov_token(acceptor);
- send_ack(STDOUT_FILENO);
-
- send_wrap_token(acceptor);
- read_ack(STDIN_FILENO);
- send_mic_token(acceptor);
- read_ack(STDIN_FILENO);
- send_iov_token(acceptor);
- read_ack(STDIN_FILENO);
-
- cleanup_context(acceptor);
- return 0;
-}
diff --git a/src/util/gss-kernel-lib/t_kgss_user.c b/src/util/gss-kernel-lib/t_kgss_user.c
deleted file mode 100644
index 8c67b5d..0000000
--- a/src/util/gss-kernel-lib/t_kgss_user.c
+++ /dev/null
@@ -1,400 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* util/gss-kernel-lib/t_kgss_user.c - Userspace portion of test program */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * This program is run from t_kgss.py. It establishes initiator and acceptor
- * contexts, then exports the acceptor context to a child program running
- * t_kgss_kernel, which is linked against libkgss.a. Wrap, MIC, and IOV tokens
- * are then exchanged with the child process to test the libkgss functionality.
- */
-
-#include "k5-int.h"
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <unistd.h>
-#include <gssapi/gssapi_krb5.h>
-#include "t_kgss_common.h"
-
-/* If major represents an error, display an error message and exit. */
-static void
-check(OM_uint32 major, OM_uint32 minor, const char *fn)
-{
- OM_uint32 msg_ctx, tmpmin;
- gss_buffer_desc msg;
-
- if (!GSS_ERROR(major))
- return;
- fprintf(stderr, "%s: major %u, minor %u\n", fn, major, minor);
- gss_display_status(&tmpmin, minor, GSS_C_MECH_CODE, GSS_C_NULL_OID,
- &msg_ctx, &msg);
- fprintf(stderr, "%.*s\n", (int)msg.length, (char *)msg.value);
- exit(1);
-}
-
-/* Establish initiator and acceptor security krb5 contexts using default
- * initiator/acceptor creds and a target krb5 principal named tprinc. */
-static void
-establish_contexts(const char *tprinc, gss_ctx_id_t *initiator_out,
- gss_ctx_id_t *acceptor_out)
-{
- OM_uint32 major, minor;
- gss_buffer_desc buf, itoken, rtoken;
- gss_name_t target_name;
- gss_ctx_id_t initiator = GSS_C_NO_CONTEXT, acceptor = GSS_C_NO_CONTEXT;
-
- /* Import the target principal. */
- buf.value = (void *)tprinc;
- buf.length = strlen(tprinc);
- major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME,
- &target_name);
- check(major, minor, "gss_import_name");
-
- /* Create initiator context and get initiator token. */
- itoken.value = NULL;
- itoken.length = 0;
- major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &initiator,
- target_name, (gss_OID)gss_mech_krb5,
- GSS_C_MUTUAL_FLAG, GSS_C_INDEFINITE,
- GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER,
- NULL, &itoken, NULL, NULL);
- check(major, minor, "gss_init_sec_context(1)");
- assert(major == GSS_S_CONTINUE_NEEDED);
-
- /* Create acceptor context and get response token. */
- rtoken.value = NULL;
- rtoken.length = 0;
- major = gss_accept_sec_context(&minor, &acceptor, GSS_C_NO_CREDENTIAL,
- &itoken, GSS_C_NO_CHANNEL_BINDINGS,
- NULL, NULL, &rtoken, NULL, NULL, NULL);
- check(major, minor, "gss_accept_sec_context");
- assert(major == GSS_S_COMPLETE);
-
- /* Complete initiator context using response token. */
- gss_release_buffer(&minor, &itoken);
- itoken.value = NULL;
- itoken.length = 0;
- major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &initiator,
- target_name, (gss_OID)gss_mech_krb5,
- GSS_C_MUTUAL_FLAG, GSS_C_INDEFINITE,
- GSS_C_NO_CHANNEL_BINDINGS, &rtoken,
- NULL, &itoken, NULL, NULL);
- check(major, minor, "gss_init_sec_context(2)");
- assert(major == GSS_S_COMPLETE);
- gss_release_buffer(&minor, &rtoken);
- gss_release_buffer(&minor, &itoken);
-
- *initiator_out = initiator;
- *acceptor_out = acceptor;
-}
-
-/* Start t_kgss_kernel in a child process with input and output pipes. */
-static void
-start_child(int *to_child_out, int *from_child_out, pid_t *pid_out)
-{
- pid_t pid;
- int stdin_pipe[2], stdout_pipe[2];
-
- assert(pipe(stdin_pipe) == 0);
- assert(pipe(stdout_pipe) == 0);
- pid = fork();
- if (pid == 0) {
- /* Child. */
- dup2(stdin_pipe[0], STDIN_FILENO);
- dup2(stdout_pipe[1], STDOUT_FILENO);
- close(stdin_pipe[0]);
- close(stdin_pipe[1]);
- close(stdout_pipe[0]);
- close(stdout_pipe[1]);
- execl("./t_kgss_kernel", "./t_kgss_kernel", (char *)NULL);
- _exit(1);
- }
- close(stdin_pipe[0]);
- close(stdout_pipe[1]);
- *to_child_out = stdin_pipe[1];
- *from_child_out = stdout_pipe[0];
- *pid_out = pid;
-}
-
-#define WRITE(b, d) k5_buf_add_len(b, (char *)&d, sizeof(d))
-
-/* Add the fields of lkey to bufp. */
-static void
-add_lucid_key(struct k5buf *bufp, const gss_krb5_lucid_key_t *lkey)
-{
- WRITE(bufp, lkey->type);
- WRITE(bufp, lkey->length);
- k5_buf_add_len(bufp, lkey->data, lkey->length);
-}
-
-/* Using a machine-dependent format, marshal the fields of lctx into an
- * allocated buffer. */
-static void
-marshal_lucid_context(const gss_krb5_lucid_context_v1_t *lctx,
- unsigned char **data_out, size_t *len_out)
-{
- struct k5buf buf;
-
- k5_buf_init_dynamic(&buf);
- WRITE(&buf, lctx->version);
- WRITE(&buf, lctx->initiate);
- WRITE(&buf, lctx->endtime);
- WRITE(&buf, lctx->send_seq);
- WRITE(&buf, lctx->recv_seq);
- WRITE(&buf, lctx->protocol);
- if (lctx->protocol == 0) {
- WRITE(&buf, lctx->rfc1964_kd.sign_alg);
- WRITE(&buf, lctx->rfc1964_kd.seal_alg);
- add_lucid_key(&buf, &lctx->rfc1964_kd.ctx_key);
- } else if (lctx->protocol == 1) {
- WRITE(&buf, lctx->cfx_kd.have_acceptor_subkey);
- add_lucid_key(&buf, &lctx->cfx_kd.ctx_key);
- if (lctx->cfx_kd.have_acceptor_subkey)
- add_lucid_key(&buf, &lctx->cfx_kd.acceptor_subkey);
- } else
- abort();
- assert(k5_buf_status(&buf) == 0);
- *data_out = buf.data;
- *len_out = buf.len;
-}
-
-/* Export ctx as a lucid context, marshal it, and write it to fd. */
-static void
-send_lucid_context(gss_ctx_id_t ctx, int fd)
-{
- OM_uint32 major, minor;
- void *result;
- gss_krb5_lucid_context_v1_t *lctx;
- unsigned char *data;
- size_t len;
-
- major = gss_krb5_export_lucid_sec_context(&minor, &ctx, 1, &result);
- check(major, minor, "gss_krb5_export_lucid_sec_context");
- lctx = result;
- marshal_lucid_context(lctx, &data, &len);
- send_data(fd, data, len);
- free(data);
-}
-
-/* Create a GSS wrap token of the text "userwrap" and send it to fd. */
-static void
-send_wrap_token(gss_ctx_id_t ctx, int fd)
-{
- OM_uint32 major, minor;
- gss_buffer_desc buf, wrapped;
-
- buf.value = "userwrap";
- buf.length = 8;
- major = gss_wrap(&minor, ctx, 1, GSS_C_QOP_DEFAULT, &buf, NULL, &wrapped);
- check(major, minor, "gss_wrap");
- send_data(fd, wrapped.value, wrapped.length);
- gss_release_buffer(&minor, &wrapped);
-}
-
-/* Create a MIC token for the text "usermic" and send it to fd. */
-static void
-send_mic_token(gss_ctx_id_t ctx, int fd)
-{
- OM_uint32 major, minor;
- gss_buffer_desc buf, mic;
-
- buf.value = "usermic";
- buf.length = 7;
- major = gss_get_mic(&minor, ctx, GSS_C_QOP_DEFAULT, &buf, &mic);
- check(major, minor, "gss_get_mic");
- send_data(fd, mic.value, mic.length);
- gss_release_buffer(&minor, &mic);
-}
-
-/* Create an IOV token for "userwrapmic", wrapping only the "wrap" part, and
- * send the header/data/padding/trailer buffers to fd. */
-static void
-send_iov_token(gss_ctx_id_t ctx, int fd)
-{
- OM_uint32 major, minor;
- gss_iov_buffer_desc iov[6];
- char *buf, *p;
-
- /* Lay out skeleton IOVs and compute header, padding, trailer lengths. */
- iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
- iov[0].buffer.value = NULL;
- iov[0].buffer.length = 0;
- iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[1].buffer.value = "user";
- iov[1].buffer.length = 4;
- iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
- iov[2].buffer.value = "wrap";
- iov[2].buffer.length = 4;
- iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[3].buffer.value = "mic";
- iov[3].buffer.length = 3;
- iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING;
- iov[4].buffer.value = NULL;
- iov[4].buffer.length = 0;
- iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER;
- iov[5].buffer.value = NULL;
- iov[5].buffer.length = 0;
- major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL,
- iov, 6);
- check(major, minor, "gss_wrap_iov_length");
-
- /* Create a payload and set header/data/padding/trailer IOV pointers. */
- buf = malloc(iov[0].buffer.length + iov[2].buffer.length +
- iov[4].buffer.length + iov[5].buffer.length);
- assert(buf != NULL);
- p = buf;
- iov[0].buffer.value = p;
- p += iov[0].buffer.length;
- memcpy(p, "wrap", 4);
- iov[2].buffer.value = p;
- p += iov[2].buffer.length;
- iov[4].buffer.value = p;
- p += iov[4].buffer.length;
- iov[5].buffer.value = p;
-
- /* Wrap the payload and send it to fd in chunks. */
- major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 6);
- check(major, minor, "gss_wrap_iov");
- send_data(fd, iov[0].buffer.value, iov[0].buffer.length);
- send_data(fd, iov[2].buffer.value, iov[2].buffer.length);
- send_data(fd, iov[4].buffer.value, iov[4].buffer.length);
- send_data(fd, iov[5].buffer.value, iov[5].buffer.length);
- free(buf);
-}
-
-/* Read a wrap token from fd and verify that it says "kernelwrap". */
-static void
-read_wrap_token(gss_ctx_id_t ctx, int fd)
-{
- OM_uint32 major, minor;
- gss_buffer_desc wrapped, buf;
-
- read_data(fd, &wrapped.value, &wrapped.length);
- major = gss_unwrap(&minor, ctx, &wrapped, &buf, NULL, NULL);
- check(major, minor, "gss_unwrap");
- assert(buf.length == 10 && memcmp(buf.value, "kernelwrap", 10) == 0);
- gss_release_buffer(&minor, &buf);
- free(wrapped.value);
-}
-
-/* Read a MIC token from fd and verify that it was for "kernelmic". */
-static void
-read_mic_token(gss_ctx_id_t ctx, int fd)
-{
- OM_uint32 major, minor;
- gss_buffer_desc mic, buf;
-
- read_data(fd, &mic.value, &mic.length);
- buf.value = "kernelmic";
- buf.length = 9;
- major = gss_verify_mic(&minor, ctx, &buf, &mic, NULL);
- check(major, minor, "gss_verify_mic");
- free(mic.value);
-}
-
-/* Read an IOV token from fd and verify that it is for "kernelwrapmic" with
- * only the "wrap" part wrapped. */
-static void
-read_iov_token(gss_ctx_id_t ctx, int fd)
-{
- OM_uint32 major, minor;
- gss_iov_buffer_desc iov[6];
-
- /* Read in buffers and lay out the IOVs. */
- iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
- read_data(fd, &iov[0].buffer.value, &iov[0].buffer.length);
- iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[1].buffer.value = "kernel";
- iov[1].buffer.length = 6;
- iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
- read_data(fd, &iov[2].buffer.value, &iov[2].buffer.length);
- iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
- iov[3].buffer.value = "mic";
- iov[3].buffer.length = 3;
- iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING;
- read_data(fd, &iov[4].buffer.value, &iov[4].buffer.length);
- iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER;
- read_data(fd, &iov[5].buffer.value, &iov[5].buffer.length);
-
- /* Unwrap and check the data contents. */
- major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 6);
- check(major, minor, "gss_unwrap_iov");
- assert(iov[2].buffer.length == 4);
- assert(memcmp(iov[2].buffer.value, "wrap", 4) == 0);
-
- free(iov[0].buffer.value);
- free(iov[2].buffer.value);
- free(iov[4].buffer.value);
- free(iov[5].buffer.value);
-}
-
-/* Delete the security context ctx. */
-static void
-cleanup_context(gss_ctx_id_t ctx)
-{
- OM_uint32 major, minor;
-
- major = gss_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER);
- check(major, minor, "gss_delete_sec_context");
-}
-
-int
-main(int argc, char **argv)
-{
- gss_ctx_id_t initiator, acceptor;
- int to_child, from_child, status;
- pid_t child_pid;
-
- if (argc != 2) {
- fprintf(stderr, "Usage: %s target-princ\n", argv[0]);
- return 1;
- }
-
- establish_contexts(argv[1], &initiator, &acceptor);
- start_child(&to_child, &from_child, &child_pid);
-
- send_lucid_context(acceptor, to_child);
- read_ack(from_child);
- send_wrap_token(initiator, to_child);
- read_ack(from_child);
- send_mic_token(initiator, to_child);
- read_ack(from_child);
- send_iov_token(initiator, to_child);
- read_ack(from_child);
-
- read_wrap_token(initiator, from_child);
- send_ack(to_child);
- read_mic_token(initiator, from_child);
- send_ack(to_child);
- read_iov_token(initiator, from_child);
- send_ack(to_child);
-
- cleanup_context(initiator);
- close(to_child);
- close(from_child);
- assert(wait(&status) == child_pid);
- assert(WIFEXITED(status) && WEXITSTATUS(status) == 0);
- return 0;
-}
More information about the cvs-krb5
mailing list