commit c43cb49715a0ad87b2a5254ffc9ee0dfb2d6d104 Author: MSVSphere Packaging Team Date: Tue Nov 26 16:52:20 2024 +0300 import krb5-1.21.3-2.el10 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e8b15f9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/krb5-1.21.3.tar.gz diff --git a/.krb5.metadata b/.krb5.metadata new file mode 100644 index 0000000..a64caeb --- /dev/null +++ b/.krb5.metadata @@ -0,0 +1 @@ +3e383bbe88cbed56bdad4ba655c40abf0e961cf7 SOURCES/krb5-1.21.3.tar.gz diff --git a/SOURCES/0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch b/SOURCES/0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch new file mode 100644 index 0000000..84d04bf --- /dev/null +++ b/SOURCES/0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch @@ -0,0 +1,310 @@ +From 6f7fd964539dfe4a885068f43a91db9738661870 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 9 Jul 2024 11:15:33 +0200 +Subject: [PATCH] [downstream] Revert "Don't issue session keys with + deprecated enctypes" + +This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463. +--- + doc/admin/conf_files/krb5_conf.rst | 12 ------------ + doc/admin/enctypes.rst | 23 +++------------------- + src/include/k5-int.h | 4 ---- + src/kdc/kdc_util.c | 10 ---------- + src/lib/krb5/krb/get_in_tkt.c | 31 +++++++++++------------------- + src/lib/krb5/krb/init_ctx.c | 10 ---------- + src/tests/gssapi/t_enctypes.py | 3 +-- + src/tests/t_etype_info.py | 2 +- + src/tests/t_sesskeynego.py | 28 ++------------------------- + src/util/k5test.py | 4 ++-- + 10 files changed, 20 insertions(+), 107 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index ecdf917501..f22d5db11b 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -95,18 +95,6 @@ Additionally, krb5.conf may include any of the relations described in + + The libdefaults section may contain any of the following relations: + +-**allow_des3** +- Permit the KDC to issue tickets with des3-cbc-sha1 session keys. +- In future releases, this flag will allow des3-cbc-sha1 to be used +- at all. The default value for this tag is false. (Added in +- release 1.21.) +- +-**allow_rc4** +- Permit the KDC to issue tickets with arcfour-hmac session keys. +- In future releases, this flag will allow arcfour-hmac to be used +- at all. The default value for this tag is false. (Added in +- release 1.21.) +- + **allow_weak_crypto** + If this flag is set to false, then weak encryption types (as noted + in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered +diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst +index dce19ad43e..694922c0d9 100644 +--- a/doc/admin/enctypes.rst ++++ b/doc/admin/enctypes.rst +@@ -48,15 +48,12 @@ Session key selection + The KDC chooses the session key enctype by taking the intersection of + its **permitted_enctypes** list, the list of long-term keys for the + most recent kvno of the service, and the client's requested list of +-enctypes. Starting in krb5-1.21, all services are assumed to support +-aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session +-keys will not be issued by default. ++enctypes. + + Starting in krb5-1.11, it is possible to set a string attribute on a + service principal to control what session key enctypes the KDC may +-issue for service tickets for that principal, overriding the service's +-long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. +-See :ref:`set_string` in :ref:`kadmin(1)` for details. ++issue for service tickets for that principal. See :ref:`set_string` ++in :ref:`kadmin(1)` for details. + + + Choosing enctypes for a service +@@ -90,20 +87,6 @@ affect how enctypes are chosen. + acceptable risk for your environment and the weak enctypes are + required for backward compatibility. + +-**allow_des3** +- was added in release 1.21 and defaults to *false*. Unless this +- flag is set to *true*, the KDC will not issue tickets with +- des3-cbc-sha1 session keys. In a future release, this flag will +- control whether des3-cbc-sha1 is permitted in similar fashion to +- weak enctypes. +- +-**allow_rc4** +- was added in release 1.21 and defaults to *false*. Unless this +- flag is set to *true*, the KDC will not issue tickets with +- arcfour-hmac session keys. In a future release, this flag will +- control whether arcfour-hmac is permitted in similar fashion to +- weak enctypes. +- + **permitted_enctypes** + controls the set of enctypes that a service will permit for + session keys and for ticket and authenticator encryption. The KDC +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 2f7791b775..1d1c8293f4 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -180,8 +180,6 @@ typedef unsigned char u_char; + * matches the variable name. Keep these alphabetized. */ + #define KRB5_CONF_ACL_FILE "acl_file" + #define KRB5_CONF_ADMIN_SERVER "admin_server" +-#define KRB5_CONF_ALLOW_DES3 "allow_des3" +-#define KRB5_CONF_ALLOW_RC4 "allow_rc4" + #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" + #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" + #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" +@@ -1240,8 +1238,6 @@ struct _krb5_context { + struct _kdb_log_context *kdblog_context; + + krb5_boolean allow_weak_crypto; +- krb5_boolean allow_des3; +- krb5_boolean allow_rc4; + krb5_boolean ignore_acceptor_hostname; + krb5_boolean enforce_ok_as_delegate; + enum dns_canonhost dns_canonicalize_hostname; +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index e54cc751f9..75e04b73db 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1088,16 +1088,6 @@ select_session_keytype(krb5_context context, krb5_db_entry *server, + if (!krb5_is_permitted_enctype(context, ktype[i])) + continue; + +- /* +- * Prevent these deprecated enctypes from being used as session keys +- * unless they are explicitly allowed. In the future they will be more +- * comprehensively disabled and eventually removed. +- */ +- if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !context->allow_des3) +- continue; +- if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !context->allow_rc4) +- continue; +- + if (dbentry_supports_enctype(context, server, ktype[i])) + return ktype[i]; + } +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index ea089f0fcc..1b420a3ac2 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1582,31 +1582,22 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, + (*prompter)(context, data, 0, banner, 0, 0); + } + +-/* Display a warning via the prompter if a deprecated enctype was used for +- * either the reply key or the session key. */ ++/* Display a warning via the prompter if des3-cbc-sha1 was used for either the ++ * reply key or the session key. */ + static void +-warn_deprecated(krb5_context context, krb5_init_creds_context ctx, +- krb5_enctype as_key_enctype) ++warn_des3(krb5_context context, krb5_init_creds_context ctx, ++ krb5_enctype as_key_enctype) + { +- krb5_enctype etype; +- char encbuf[128], banner[256]; ++ const char *banner; + +- if (ctx->prompter == NULL) +- return; +- +- if (krb5int_c_deprecated_enctype(as_key_enctype)) +- etype = as_key_enctype; +- else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype)) +- etype = ctx->cred.keyblock.enctype; +- else ++ if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 && ++ ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1) + return; +- +- if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0) ++ if (ctx->prompter == NULL) + return; +- snprintf(banner, sizeof(banner), +- _("Warning: encryption type %s used for authentication is " +- "deprecated and will be disabled"), encbuf); + ++ banner = _("Warning: encryption type des3-cbc-sha1 used for " ++ "authentication is weak and will be disabled"); + /* PROMPTER_INVOCATION */ + (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL); + } +@@ -1857,7 +1848,7 @@ init_creds_step_reply(krb5_context context, + ctx->complete = TRUE; + warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data, + ctx->in_tkt_service, ctx->reply); +- warn_deprecated(context, ctx, encrypting_key.enctype); ++ warn_des3(context, ctx, encrypting_key.enctype); + + cleanup: + krb5_free_pa_data(context, kdc_padata); +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index a6c2bbeb54..87b486c53f 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -221,16 +221,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + goto cleanup; + ctx->allow_weak_crypto = tmp; + +- retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp); +- if (retval) +- goto cleanup; +- ctx->allow_des3 = tmp; +- +- retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp); +- if (retval) +- goto cleanup; +- ctx->allow_rc4 = tmp; +- + retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp); + if (retval) + goto cleanup; +diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py +index f5f11842e2..7494d7fcdb 100755 +--- a/src/tests/gssapi/t_enctypes.py ++++ b/src/tests/gssapi/t_enctypes.py +@@ -18,8 +18,7 @@ d_rc4 = 'DEPRECATED:arcfour-hmac' + # These tests make assumptions about the default enctype lists, so set + # them explicitly rather than relying on the library defaults. + supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal' +-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4', +- 'allow_des3': 'true', 'allow_rc4': 'true'}, ++conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'}, + 'realms': {'$realm': {'supported_enctypes': supp}}} + realm = K5Realm(krb5_conf=conf) + shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) +diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py +index 38cf96ca8f..c982508d8b 100644 +--- a/src/tests/t_etype_info.py ++++ b/src/tests/t_etype_info.py +@@ -1,7 +1,7 @@ + from k5test import * + + supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' +-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'}, ++conf = {'libdefaults': {'allow_weak_crypto': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} + realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) + +diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py +index 5a213617b5..9024aee838 100755 +--- a/src/tests/t_sesskeynego.py ++++ b/src/tests/t_sesskeynego.py +@@ -25,8 +25,6 @@ conf3 = {'libdefaults': { + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} + conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}} +-conf5 = {'libdefaults': {'allow_rc4': 'true'}} +-conf6 = {'libdefaults': {'allow_des3': 'true'}} + # Test with client request and session_enctypes preferring aes128, but + # aes256 long-term key. + realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) +@@ -56,12 +54,10 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'aes128-cts,aes256-cts']) + test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + +-# 3b: Skip RC4 (as the KDC does not allow it for session keys by +-# default) and negotiate aes128-cts session key, with only an aes256 +-# long-term service key. ++# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term. + realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'rc4-hmac,aes128-cts,aes256-cts']) +-test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') ++test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') + realm.stop() + + # 4: Check that permitted_enctypes is a default for session key enctypes. +@@ -71,24 +67,4 @@ realm.run([kvno, 'user'], + expected_trace=('etypes requested in TGS request: aes256-cts',)) + realm.stop() + +-# 5: allow_rc4 permits negotiation of rc4-hmac session key. +-realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) +-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac']) +-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') +-realm.stop() +- +-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key. +-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) +-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1']) +-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96') +-realm.stop() +- +-# 7: default config negotiates aes256-sha1 session key for RC4-only service. +-realm = K5Realm(create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server']) +-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac') +-realm.stop() +- + success('sesskeynego') +diff --git a/src/util/k5test.py b/src/util/k5test.py +index 8e5f5ba8e9..2a86c5cdfc 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -1340,14 +1340,14 @@ _passes = [ + + # Exercise the DES3 enctype. + ('des3', None, +- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}}, ++ {'libdefaults': {'permitted_enctypes': 'des3'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'des3-cbc-sha1:normal', + 'master_key_type': 'des3-cbc-sha1'}}}), + + # Exercise the arcfour enctype. + ('arcfour', None, +- {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, ++ {'libdefaults': {'permitted_enctypes': 'rc4'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'arcfour-hmac:normal', + 'master_key_type': 'arcfour-hmac'}}}), +-- +2.45.1 + diff --git a/SOURCES/0002-downstream-ksu-pam-integration.patch b/SOURCES/0002-downstream-ksu-pam-integration.patch new file mode 100644 index 0000000..9afd094 --- /dev/null +++ b/SOURCES/0002-downstream-ksu-pam-integration.patch @@ -0,0 +1,777 @@ +From de4205c45e310ceaaa7cd7958af7293322fa43a6 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:29:58 -0400 +Subject: [PATCH] [downstream] ksu pam integration + +Modify ksu so that it performs account and session management on behalf of +the target user account, mimicking the action of regular su. The default +service name is "ksu", because on Fedora at least the configuration used +is determined by whether or not a login shell is being opened, and so +this may need to vary, too. At run-time, ksu's behavior can be reset to +the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu] +section of /etc/krb5.conf. + +When enabled, ksu gains a dependency on libpam. + +Originally RT#5939, though it's changed since then to perform the account +and session management before dropping privileges, and to apply on top of +changes we're proposing for how it handles cache collections. + +Last-updated: krb5-1.18-beta1 +--- + src/aclocal.m4 | 69 +++++++ + src/clients/ksu/Makefile.in | 8 +- + src/clients/ksu/main.c | 88 +++++++- + src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++ + src/clients/ksu/pam.h | 57 ++++++ + src/configure.ac | 2 + + 6 files changed, 610 insertions(+), 3 deletions(-) + create mode 100644 src/clients/ksu/pam.c + create mode 100644 src/clients/ksu/pam.h + +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 3d66a876b3..ce3c5a9bac 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -1458,3 +1458,72 @@ if test "$with_ldap" = yes; then + OPENLDAP_PLUGIN=yes + fi + ])dnl ++dnl ++dnl ++dnl Use PAM instead of local crypt() compare for checking local passwords, ++dnl and perform PAM account, session management, and password-changing where ++dnl appropriate. ++dnl ++AC_DEFUN(KRB5_WITH_PAM,[ ++AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])], ++ withpam="$withval",withpam=auto) ++AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])], ++ withksupamservice="$withval",withksupamservice=ksu) ++old_LIBS="$LIBS" ++if test "$withpam" != no ; then ++ AC_MSG_RESULT([checking for PAM...]) ++ PAM_LIBS= ++ ++ AC_CHECK_HEADERS(security/pam_appl.h) ++ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then ++ if test "$withpam" = auto ; then ++ AC_MSG_RESULT([Unable to locate security/pam_appl.h.]) ++ withpam=no ++ else ++ AC_MSG_ERROR([Unable to locate security/pam_appl.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_pam_start ++ AC_CHECK_FUNCS(putenv pam_start) ++ if test "x$ac_cv_func_pam_start" = xno ; then ++ unset ac_cv_func_pam_start ++ AC_CHECK_LIB(dl,dlopen) ++ AC_CHECK_FUNCS(pam_start) ++ if test "x$ac_cv_func_pam_start" = xno ; then ++ AC_CHECK_LIB(pam,pam_start) ++ unset ac_cv_func_pam_start ++ unset ac_cv_func_pam_getenvlist ++ AC_CHECK_FUNCS(pam_start pam_getenvlist) ++ if test "x$ac_cv_func_pam_start" = xyes ; then ++ PAM_LIBS="$LIBS" ++ else ++ if test "$withpam" = auto ; then ++ AC_MSG_RESULT([Unable to locate libpam.]) ++ withpam=no ++ else ++ AC_MSG_ERROR([Unable to locate libpam.]) ++ fi ++ fi ++ fi ++ fi ++ if test "$withpam" != no ; then ++ AC_MSG_NOTICE([building with PAM support]) ++ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM]) ++ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice", ++ [Define to the name of the PAM service name to be used by ksu.]) ++ PAM_LIBS="$LIBS" ++ NON_PAM_MAN=".\\\" " ++ PAM_MAN= ++ else ++ PAM_MAN=".\\\" " ++ NON_PAM_MAN= ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(PAM_LIBS) ++AC_SUBST(PAM_MAN) ++AC_SUBST(NON_PAM_MAN) ++])dnl ++ +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index 8b4edce4d8..9d58f29b5d 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in +@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' + + KSU_LIBS=@KSU_LIBS@ ++PAM_LIBS=@PAM_LIBS@ + + SRCS = \ + $(srcdir)/krb_auth_su.c \ + $(srcdir)/ccache.c \ + $(srcdir)/authorization.c \ + $(srcdir)/main.c \ ++ $(srcdir)/pam.c \ + $(srcdir)/heuristic.c \ + $(srcdir)/xmalloc.c \ + $(srcdir)/setenv.c +@@ -17,13 +19,17 @@ OBJS = \ + ccache.o \ + authorization.o \ + main.o \ ++ pam.o \ + heuristic.o \ + xmalloc.o @SETENVOBJ@ + + all: ksu + + ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) +- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) ++ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) ++ ++pam.o: pam.c ++ $(CC) $(ALL_CFLAGS) -c $< + + clean: + $(RM) ksu +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index af12861729..931f054041 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c +@@ -26,6 +26,7 @@ + * KSU was written by: Ari Medvinsky, ari@isi.edu + */ + ++#include "autoconf.h" + #include "ksu.h" + #include "adm_proto.h" + #include +@@ -33,6 +34,10 @@ + #include + #include + ++#ifdef USE_PAM ++#include "pam.h" ++#endif ++ + /* globals */ + char * prog_name; + int auth_debug =0; +@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN]; + char k5users_path[MAXPATHLEN]; + char * gb_err = NULL; + int quiet = 0; ++int force_fork = 0; + /***********/ + + #define KS_TEMPORARY_CACHE "MEMORY:_ksu" +@@ -536,6 +542,23 @@ main (argc, argv) + prog_name,target_user,client_name, + source_user,ontty()); + ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); ++ exit(1); ++ } ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", ++ target_user); ++ exit(1); ++ } ++ force_fork++; ++ } ++#endif ++ + /* Run authorization as target.*/ + if (krb5_seteuid(target_uid)) { + com_err(prog_name, errno, _("while switching to target for " +@@ -596,6 +619,24 @@ main (argc, argv) + + exit(1); + } ++#ifdef USE_PAM ++ } else { ++ /* we always do PAM account management, even for root */ ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); ++ exit(1); ++ } ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", ++ target_user); ++ exit(1); ++ } ++ force_fork++; ++ } ++#endif + } + + if( some_rest_copy){ +@@ -653,6 +694,30 @@ main (argc, argv) + exit(1); + } + ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_session_open() != 0) { ++ fprintf(stderr, "Error opening session for %s.\n", target_user); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Opened PAM session.\n"); ++ } ++#endif ++ if (appl_pam_cred_init()) { ++ fprintf(stderr, "Error initializing credentials for %s.\n", ++ target_user); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Initialized PAM credentials.\n"); ++ } ++#endif ++ } ++#endif ++ + /* set permissions */ + if (setgid(target_pwd->pw_gid) < 0) { + perror("ksu: setgid"); +@@ -750,7 +815,7 @@ main (argc, argv) + fprintf(stderr, "program to be execed %s\n",params[0]); + } + +- if( keep_target_cache ) { ++ if( keep_target_cache && !force_fork ) { + execv(params[0], params); + com_err(prog_name, errno, _("while trying to execv %s"), params[0]); + sweep_up(ksu_context, cc_target); +@@ -780,16 +845,35 @@ main (argc, argv) + if (ret_pid == -1) { + com_err(prog_name, errno, _("while calling waitpid")); + } +- sweep_up(ksu_context, cc_target); ++ if( !keep_target_cache ) { ++ sweep_up(ksu_context, cc_target); ++ } + exit (statusp); + case -1: + com_err(prog_name, errno, _("while trying to fork.")); + sweep_up(ksu_context, cc_target); + exit (1); + case 0: ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_setenv() != 0) { ++ fprintf(stderr, "Error setting up environment for %s.\n", ++ target_user); ++ exit (1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Set up PAM environment.\n"); ++ } ++#endif ++ } ++#endif + execv(params[0], params); + com_err(prog_name, errno, _("while trying to execv %s"), + params[0]); ++ if( keep_target_cache ) { ++ sweep_up(ksu_context, cc_target); ++ } + exit (1); + } + } +diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c +new file mode 100644 +index 0000000000..cbfe487047 +--- /dev/null ++++ b/src/clients/ksu/pam.c +@@ -0,0 +1,389 @@ ++/* ++ * src/clients/ksu/pam.c ++ * ++ * Copyright 2007,2009,2010 Red Hat, Inc. ++ * ++ * All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Convenience wrappers for using PAM. ++ */ ++ ++#include "autoconf.h" ++#ifdef USE_PAM ++#include ++#include ++#include ++#include ++#include ++#include "k5-int.h" ++#include "pam.h" ++ ++#ifndef MAXPWSIZE ++#define MAXPWSIZE 128 ++#endif ++ ++static int appl_pam_started; ++static pid_t appl_pam_starter = -1; ++static int appl_pam_session_opened; ++static int appl_pam_creds_initialized; ++static int appl_pam_pwchange_required; ++static pam_handle_t *appl_pamh; ++static struct pam_conv appl_pam_conv; ++static char *appl_pam_user; ++struct appl_pam_non_interactive_args { ++ const char *user; ++ const char *password; ++}; ++ ++int ++appl_pam_enabled(krb5_context context, const char *section) ++{ ++ int enabled = 1; ++ if ((context != NULL) && (context->profile != NULL)) { ++ if (profile_get_boolean(context->profile, ++ section, ++ USE_PAM_CONFIGURATION_KEYWORD, ++ NULL, ++ enabled, &enabled) != 0) { ++ enabled = 1; ++ } ++ } ++ return enabled; ++} ++ ++void ++appl_pam_cleanup(void) ++{ ++ if (getpid() != appl_pam_starter) { ++ return; ++ } ++#ifdef DEBUG ++ printf("Called to clean up PAM.\n"); ++#endif ++ if (appl_pam_creds_initialized) { ++#ifdef DEBUG ++ printf("Deleting PAM credentials.\n"); ++#endif ++ pam_setcred(appl_pamh, PAM_DELETE_CRED); ++ appl_pam_creds_initialized = 0; ++ } ++ if (appl_pam_session_opened) { ++#ifdef DEBUG ++ printf("Closing PAM session.\n"); ++#endif ++ pam_close_session(appl_pamh, 0); ++ appl_pam_session_opened = 0; ++ } ++ appl_pam_pwchange_required = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Shutting down PAM.\n"); ++#endif ++ pam_end(appl_pamh, 0); ++ appl_pam_started = 0; ++ appl_pam_starter = -1; ++ free(appl_pam_user); ++ appl_pam_user = NULL; ++ } ++} ++static int ++appl_pam_interactive_converse(int num_msg, const struct pam_message **msg, ++ struct pam_response **presp, void *appdata_ptr) ++{ ++ const struct pam_message *message; ++ struct pam_response *resp; ++ int i, code; ++ char *pwstring, pwbuf[MAXPWSIZE]; ++ unsigned int pwsize; ++ resp = malloc(sizeof(struct pam_response) * num_msg); ++ if (resp == NULL) { ++ return PAM_BUF_ERR; ++ } ++ memset(resp, 0, sizeof(struct pam_response) * num_msg); ++ code = PAM_SUCCESS; ++ for (i = 0; i < num_msg; i++) { ++ message = &(msg[0][i]); /* XXX */ ++ message = msg[i]; /* XXX */ ++ pwstring = NULL; ++ switch (message->msg_style) { ++ case PAM_TEXT_INFO: ++ case PAM_ERROR_MSG: ++ printf("[%s]\n", message->msg ? message->msg : ""); ++ fflush(stdout); ++ resp[i].resp = NULL; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ break; ++ case PAM_PROMPT_ECHO_ON: ++ case PAM_PROMPT_ECHO_OFF: ++ if (message->msg_style == PAM_PROMPT_ECHO_ON) { ++ if (fgets(pwbuf, sizeof(pwbuf), ++ stdin) != NULL) { ++ pwbuf[strcspn(pwbuf, "\r\n")] = '\0'; ++ pwstring = pwbuf; ++ } ++ } else { ++ pwstring = getpass(message->msg ? ++ message->msg : ++ ""); ++ } ++ if ((pwstring != NULL) && (pwstring[0] != '\0')) { ++ pwsize = strlen(pwstring); ++ resp[i].resp = malloc(pwsize + 1); ++ if (resp[i].resp == NULL) { ++ resp[i].resp_retcode = PAM_BUF_ERR; ++ } else { ++ memcpy(resp[i].resp, pwstring, pwsize); ++ resp[i].resp[pwsize] = '\0'; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ } ++ } else { ++ resp[i].resp_retcode = PAM_CONV_ERR; ++ code = PAM_CONV_ERR; ++ } ++ break; ++ default: ++ break; ++ } ++ } ++ *presp = resp; ++ return code; ++} ++static int ++appl_pam_non_interactive_converse(int num_msg, ++ const struct pam_message **msg, ++ struct pam_response **presp, ++ void *appdata_ptr) ++{ ++ const struct pam_message *message; ++ struct pam_response *resp; ++ int i, code; ++ unsigned int pwsize; ++ struct appl_pam_non_interactive_args *args; ++ const char *pwstring; ++ resp = malloc(sizeof(struct pam_response) * num_msg); ++ if (resp == NULL) { ++ return PAM_BUF_ERR; ++ } ++ args = appdata_ptr; ++ memset(resp, 0, sizeof(struct pam_response) * num_msg); ++ code = PAM_SUCCESS; ++ for (i = 0; i < num_msg; i++) { ++ message = &((*msg)[i]); ++ message = msg[i]; ++ pwstring = NULL; ++ switch (message->msg_style) { ++ case PAM_TEXT_INFO: ++ case PAM_ERROR_MSG: ++ break; ++ case PAM_PROMPT_ECHO_ON: ++ case PAM_PROMPT_ECHO_OFF: ++ if (message->msg_style == PAM_PROMPT_ECHO_ON) { ++ /* assume "user" */ ++ pwstring = args->user; ++ } else { ++ /* assume "password" */ ++ pwstring = args->password; ++ } ++ if ((pwstring != NULL) && (pwstring[0] != '\0')) { ++ pwsize = strlen(pwstring); ++ resp[i].resp = malloc(pwsize + 1); ++ if (resp[i].resp == NULL) { ++ resp[i].resp_retcode = PAM_BUF_ERR; ++ } else { ++ memcpy(resp[i].resp, pwstring, pwsize); ++ resp[i].resp[pwsize] = '\0'; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ } ++ } else { ++ resp[i].resp_retcode = PAM_CONV_ERR; ++ code = PAM_CONV_ERR; ++ } ++ break; ++ default: ++ break; ++ } ++ } ++ *presp = resp; ++ return code; ++} ++static int ++appl_pam_start(const char *service, int interactive, ++ const char *login_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty) ++{ ++ static int exit_handler_registered; ++ static struct appl_pam_non_interactive_args args; ++ int ret = 0; ++ if (appl_pam_started && ++ (strcmp(login_username, appl_pam_user) != 0)) { ++ appl_pam_cleanup(); ++ appl_pam_user = NULL; ++ } ++ if (!appl_pam_started) { ++#ifdef DEBUG ++ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n", ++ service, login_username); ++#endif ++ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv)); ++ appl_pam_conv.conv = interactive ? ++ &appl_pam_interactive_converse : ++ &appl_pam_non_interactive_converse; ++ memset(&args, 0, sizeof(args)); ++ args.user = strdup(login_username); ++ args.password = non_interactive_password ? ++ strdup(non_interactive_password) : ++ NULL; ++ appl_pam_conv.appdata_ptr = &args; ++ ret = pam_start(service, login_username, ++ &appl_pam_conv, &appl_pamh); ++ if (ret == 0) { ++ if (hostname != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_RHOST to \"%s\".\n", hostname); ++#endif ++ pam_set_item(appl_pamh, PAM_RHOST, hostname); ++ } ++ if (ruser != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_RUSER to \"%s\".\n", ruser); ++#endif ++ pam_set_item(appl_pamh, PAM_RUSER, ruser); ++ } ++ if (tty != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_TTY to \"%s\".\n", tty); ++#endif ++ pam_set_item(appl_pamh, PAM_TTY, tty); ++ } ++ if (!exit_handler_registered && ++ (atexit(appl_pam_cleanup) != 0)) { ++ pam_end(appl_pamh, 0); ++ appl_pamh = NULL; ++ ret = -1; ++ } else { ++ appl_pam_started = 1; ++ appl_pam_starter = getpid(); ++ appl_pam_user = strdup(login_username); ++ exit_handler_registered = 1; ++ } ++ } ++ } ++ return ret; ++} ++int ++appl_pam_acct_mgmt(const char *service, int interactive, ++ const char *login_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty) ++{ ++ int ret; ++ appl_pam_pwchange_required = 0; ++ ret = appl_pam_start(service, interactive, login_username, ++ non_interactive_password, hostname, ruser, tty); ++ if (ret == 0) { ++#ifdef DEBUG ++ printf("Calling pam_acct_mgmt().\n"); ++#endif ++ ret = pam_acct_mgmt(appl_pamh, 0); ++ switch (ret) { ++ case PAM_IGNORE: ++ ret = 0; ++ break; ++ case PAM_NEW_AUTHTOK_REQD: ++ appl_pam_pwchange_required = 1; ++ ret = 0; ++ break; ++ default: ++ break; ++ } ++ } ++ return ret; ++} ++int ++appl_pam_requires_chauthtok(void) ++{ ++ return appl_pam_pwchange_required; ++} ++int ++appl_pam_session_open(void) ++{ ++ int ret = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Opening PAM session.\n"); ++#endif ++ ret = pam_open_session(appl_pamh, 0); ++ if (ret == 0) { ++ appl_pam_session_opened = 1; ++ } ++ } ++ return ret; ++} ++int ++appl_pam_setenv(void) ++{ ++ int ret = 0; ++#ifdef HAVE_PAM_GETENVLIST ++#ifdef HAVE_PUTENV ++ int i; ++ char **list; ++ if (appl_pam_started) { ++ list = pam_getenvlist(appl_pamh); ++ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) { ++#ifdef DEBUG ++ printf("Setting \"%s\" in environment.\n", list[i]); ++#endif ++ putenv(list[i]); ++ } ++ } ++#endif ++#endif ++ return ret; ++} ++int ++appl_pam_cred_init(void) ++{ ++ int ret = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Initializing PAM credentials.\n"); ++#endif ++ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED); ++ if (ret == 0) { ++ appl_pam_creds_initialized = 1; ++ } ++ } ++ return ret; ++} ++#endif +diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h +new file mode 100644 +index 0000000000..0ab76569cb +--- /dev/null ++++ b/src/clients/ksu/pam.h +@@ -0,0 +1,57 @@ ++/* ++ * src/clients/ksu/pam.h ++ * ++ * Copyright 2007,2009,2010 Red Hat, Inc. ++ * ++ * All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Convenience wrappers for using PAM. ++ */ ++ ++#include ++#ifdef HAVE_SECURITY_PAM_APPL_H ++#include ++#endif ++ ++#define USE_PAM_CONFIGURATION_KEYWORD "use_pam" ++ ++#ifdef USE_PAM ++int appl_pam_enabled(krb5_context context, const char *section); ++int appl_pam_acct_mgmt(const char *service, int interactive, ++ const char *local_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty); ++int appl_pam_requires_chauthtok(void); ++int appl_pam_session_open(void); ++int appl_pam_setenv(void); ++int appl_pam_cred_init(void); ++void appl_pam_cleanup(void); ++#endif +diff --git a/src/configure.ac b/src/configure.ac +index 77be7a2025..587221936e 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1399,6 +1399,8 @@ AC_SUBST([VERTO_VERSION]) + + AC_PATH_PROG(GROFF, groff) + ++KRB5_WITH_PAM ++ + # Make localedir work in autoconf 2.5x. + if test "${localedir+set}" != set; then + localedir='$(datadir)/locale' +-- +2.45.1 + diff --git a/SOURCES/0003-downstream-SELinux-integration.patch b/SOURCES/0003-downstream-SELinux-integration.patch new file mode 100644 index 0000000..a3b32c3 --- /dev/null +++ b/SOURCES/0003-downstream-SELinux-integration.patch @@ -0,0 +1,1038 @@ +From 30ff501e4b519396f5aea25e24919be817863e7c Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:30:53 -0400 +Subject: [PATCH] [downstream] SELinux integration + +SELinux bases access to files on the domain of the requesting process, +the operation being performed, and the context applied to the file. + +In many cases, applications needn't be SELinux aware to work properly, +because SELinux can apply a default label to a file based on the label +of the directory in which it's created. + +In the case of files such as /etc/krb5.keytab, however, this isn't +sufficient, as /etc/krb5.keytab will almost always need to be given a +label which differs from that of /etc/issue or /etc/resolv.conf. The +the kdb stash file needs a different label than the database for which +it's holding a master key, even though both typically live in the same +directory. + +To give the file the correct label, we can either force a "restorecon" +call to fix a file's label after it's created, or create the file with +the right label, as we attempt to do here. We lean on THREEPARAMOPEN +and define a similar macro named WRITABLEFOPEN with which we replace +several uses of fopen(). + +The file creation context that we're manipulating here is a process-wide +attribute. While for the most part, applications which need to label +files when they're created have tended to be single-threaded, there's +not much we can do to avoid interfering with an application that +manipulates the creation context directly. Right now we're mediating +access using a library-local mutex, but that can only work for consumers +that are part of this package -- an unsuspecting application will still +stomp all over us. + +The selabel APIs for looking up the context should be thread-safe (per +Red Hat #273081), so switching to using them instead of matchpathcon(), +which we used earlier, is some improvement. + +Last-updated: krb5-1.20.1 +[jrische@redhat.com: Replace deprecated security_context_t by char *: + - src/util/support/selinux.c] +--- + src/aclocal.m4 | 48 +++ + src/build-tools/krb5-config.in | 3 +- + src/config/pre.in | 3 +- + src/configure.ac | 2 + + src/include/k5-int.h | 1 + + src/include/k5-label.h | 32 ++ + src/include/krb5/krb5.hin | 6 + + src/kadmin/dbutil/dump.c | 11 +- + src/kdc/main.c | 2 +- + src/kprop/kpropd.c | 9 + + src/lib/kadm5/logger.c | 4 +- + src/lib/kdb/kdb_log.c | 2 +- + src/lib/krb5/ccache/cc_dir.c | 26 +- + src/lib/krb5/keytab/kt_file.c | 4 +- + src/lib/krb5/os/trace.c | 2 +- + src/plugins/kdb/db2/adb_openclose.c | 2 +- + src/plugins/kdb/db2/kdb_db2.c | 4 +- + src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- + src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +- + src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- + .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- + src/util/profile/prof_file.c | 3 +- + src/util/support/Makefile.in | 3 +- + src/util/support/selinux.c | 405 ++++++++++++++++++ + 24 files changed, 572 insertions(+), 21 deletions(-) + create mode 100644 src/include/k5-label.h + create mode 100644 src/util/support/selinux.c + +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index ce3c5a9bac..3331970930 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag) + dnl + KRB5_AC_PRAGMA_WEAK_REF + WITH_LDAP ++KRB5_WITH_SELINUX + KRB5_LIB_PARAMS + KRB5_AC_INITFINI + KRB5_AC_ENABLE_THREADS +@@ -1526,4 +1527,51 @@ AC_SUBST(PAM_LIBS) + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++dnl ++dnl Use libselinux to set file contexts on newly-created files. ++dnl ++AC_DEFUN(KRB5_WITH_SELINUX,[ ++AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], ++ withselinux="$withval",withselinux=auto) ++old_LIBS="$LIBS" ++if test "$withselinux" != no ; then ++ AC_MSG_RESULT([checking for libselinux...]) ++ SELINUX_LIBS= ++ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h) ++ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) ++ fi ++ fi + ++ LIBS= ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) ++ if test "x$ac_cv_func_setfscreatecon" = xno ; then ++ AC_CHECK_LIB(selinux,setfscreatecon) ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) ++ if test "x$ac_cv_func_setfscreatecon" = xyes ; then ++ SELINUX_LIBS="$LIBS" ++ else ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate libselinux.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate libselinux.]) ++ fi ++ fi ++ fi ++ if test "$withselinux" != no ; then ++ AC_MSG_NOTICE([building with SELinux labeling support]) ++ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) ++ SELINUX_LIBS="$LIBS" ++ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon" ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(SELINUX_LIBS) ++])dnl +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index 8e6eb86601..7677f37359 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -40,6 +40,7 @@ DL_LIB='@DL_LIB@' + DEFCCNAME='@DEFCCNAME@' + DEFKTNAME='@DEFKTNAME@' + DEFCKTNAME='@DEFCKTNAME@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -253,7 +254,7 @@ if test -n "$do_libs"; then + fi + + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. + + echo $lib_flags +diff --git a/src/config/pre.in b/src/config/pre.in +index a0c60c70b3..7eaa2f351c 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -177,6 +177,7 @@ LD = $(PURE) @LD@ + KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include + LDFLAGS = @LDFLAGS@ + LIBS = @LIBS@ ++SELINUX_LIBS=@SELINUX_LIBS@ + + INSTALL=@INSTALL@ + INSTALL_STRIP= +@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) + # HESIOD_LIBS is -lhesiod... + HESIOD_LIBS = @HESIOD_LIBS@ + +-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) ++KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) + GSS_LIBS = $(GSS_KRB5_LIB) + # needs fixing if ever used on macOS! +diff --git a/src/configure.ac b/src/configure.ac +index 587221936e..69be9030f8 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1401,6 +1401,8 @@ AC_PATH_PROG(GROFF, groff) + + KRB5_WITH_PAM + ++KRB5_WITH_SELINUX ++ + # Make localedir work in autoconf 2.5x. + if test "${localedir+set}" != set; then + localedir='$(datadir)/locale' +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 1d1c8293f4..768110e5ef 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -128,6 +128,7 @@ typedef unsigned char u_char; + + + #include "k5-platform.h" ++#include "k5-label.h" + + #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ + #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ +diff --git a/src/include/k5-label.h b/src/include/k5-label.h +new file mode 100644 +index 0000000000..dfaaa847cb +--- /dev/null ++++ b/src/include/k5-label.h +@@ -0,0 +1,32 @@ ++#ifndef _KRB5_LABEL_H ++#define _KRB5_LABEL_H ++ ++#ifdef THREEPARAMOPEN ++#undef THREEPARAMOPEN ++#endif ++#ifdef WRITABLEFOPEN ++#undef WRITABLEFOPEN ++#endif ++ ++/* Wrapper functions which help us create files and directories with the right ++ * context labels. */ ++#ifdef USE_SELINUX ++#include ++#include ++#include ++#include ++#include ++FILE *krb5int_labeled_fopen(const char *path, const char *mode); ++int krb5int_labeled_creat(const char *path, mode_t mode); ++int krb5int_labeled_open(const char *path, int flags, ...); ++int krb5int_labeled_mkdir(const char *path, mode_t mode); ++int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device); ++#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z) ++#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y) ++void *krb5int_push_fscreatecon_for(const char *pathname); ++void krb5int_pop_fscreatecon(void *previous); ++#else ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#define THREEPARAMOPEN(x,y,z) open(x,y,z) ++#endif ++#endif +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index 4e09ed345d..09f800be52 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -83,6 +83,12 @@ + #define THREEPARAMOPEN(x,y,z) open(x,y,z) + #endif + ++#if KRB5_PRIVATE ++#ifndef WRITABLEFOPEN ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#endif ++#endif ++ + #define KRB5_OLD_CRYPTO + + #include +diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c +index a89b5144f6..4d6cc0bdf9 100644 +--- a/src/kadmin/dbutil/dump.c ++++ b/src/kadmin/dbutil/dump.c +@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) + { + int fd = -1; + FILE *f; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + *tmpname = NULL; + if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0) + goto error; + ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(ofile); ++#endif + fd = mkstemp(*tmpname); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd == -1) + goto error; + +@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out) + goto cleanup; + } + +- fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); ++ fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd == -1) { + com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); + goto cleanup; +diff --git a/src/kdc/main.c b/src/kdc/main.c +index bfdfef5c48..b43fe9a082 100644 +--- a/src/kdc/main.c ++++ b/src/kdc/main.c +@@ -844,7 +844,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; + +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c +index aa3c81ea30..cb9785aaeb 100644 +--- a/src/kprop/kpropd.c ++++ b/src/kprop/kpropd.c +@@ -488,6 +488,9 @@ doit(int fd) + krb5_enctype etype; + int database_fd; + char host[INET6_ADDRSTRLEN + 1]; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + signal_wrapper(SIGALRM, alarm_handler); + alarm(params.iprop_resync_timeout); +@@ -543,9 +546,15 @@ doit(int fd) + free(name); + exit(1); + } ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file); ++#endif + omask = umask(077); + lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600); + (void)umask(omask); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + retval = krb5_lock_file(kpropd_context, lock_fd, + KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); + if (retval) { +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index e14da53790..b879a4049b 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -310,7 +310,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do + */ + append = (cp[4] == ':') ? O_APPEND : 0; + if (append || cp[4] == '=') { +- fd = open(&cp[5], O_CREAT | O_WRONLY | append, ++ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append, + S_IRUSR | S_IWUSR | S_IRGRP); + if (fd != -1) + f = fdopen(fd, append ? "a" : "w"); +@@ -777,7 +777,7 @@ krb5_klog_reopen(krb5_context kcontext) + * In case the old logfile did not get moved out of the + * way, open for append to prevent squashing the old logs. + */ +- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); ++ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[lindex].lfu_filep = f; +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index 2659a25018..e9b95fce59 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) + return ENOMEM; + + if (stat(logname, &st) == -1) { +- log_ctx->ulogfd = open(logname, O_RDWR | O_CREAT, 0600); ++ log_ctx->ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); + if (log_ctx->ulogfd == -1) { + retval = errno; + goto cleanup; +diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c +index 1da40b51d0..f3ab7340a6 100644 +--- a/src/lib/krb5/ccache/cc_dir.c ++++ b/src/lib/krb5/ccache/cc_dir.c +@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) + char *newpath = NULL; + FILE *fp = NULL; + int fd = -1, status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) + return ENOMEM; ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(primary_path); ++#endif + fd = mkstemp(newpath); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd < 0) + goto cleanup; + #ifdef HAVE_CHMOD +@@ -221,10 +230,23 @@ static krb5_error_code + verify_dir(krb5_context context, const char *dirname) + { + struct stat st; ++ int status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (stat(dirname, &st) < 0) { +- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) +- return 0; ++ if (errno == ENOENT) { ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(dirname); ++#endif ++ status = mkdir(dirname, S_IRWXU); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif ++ if (status == 0) ++ return 0; ++ } + k5_setmsg(context, KRB5_FCC_NOFILE, + _("Credential cache directory %s does not exist"), + dirname); +diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c +index e510211fc5..f3ea28c8ec 100644 +--- a/src/lib/krb5/keytab/kt_file.c ++++ b/src/lib/krb5/keytab/kt_file.c +@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) + + KTCHECKLOCK(id); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? "rb+" : "rb"); + if (!KTFILEP(id)) { + if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) { + /* try making it first time around */ + k5_create_secure_file(context, KTFILENAME(id)); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), "rb+"); ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), "rb+"); + if (!KTFILEP(id)) + goto report_errno; + writevno = 1; +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index 4cbbbb270a..c4058ddc96 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -460,7 +460,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) + fd = malloc(sizeof(*fd)); + if (fd == NULL) + return ENOMEM; +- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); ++ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); + if (*fd == -1) { + free(fd); + return errno; +diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c +index 9a506e9d44..f92ab47143 100644 +--- a/src/plugins/kdb/db2/adb_openclose.c ++++ b/src/plugins/kdb/db2/adb_openclose.c +@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, + * needs be open read/write so that write locking can work with + * POSIX systems + */ +- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { ++ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { + /* + * maybe someone took away write permission so we could only + * get shared locks? +diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c +index 2c163d91cc..9a344a603e 100644 +--- a/src/plugins/kdb/db2/kdb_db2.c ++++ b/src/plugins/kdb/db2/kdb_db2.c +@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +index 2977b17f3a..d5809a5a93 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "btree.h" + +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags) + goto einval; + } + +- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0) ++ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + goto err; + + } else { +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c +index 862dbb1640..686a960c96 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; + #include + #endif + ++#include "k5-int.h" + #include "db-int.h" + #include "hash.h" + #include "page.h" +@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) + new_table = 1; + } + if (file) { +- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1) ++ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1) + RETURN_ERROR(errno, error0); + (void)fcntl(hashp->fp, F_SETFD, 1); + } +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +index d8b26e7011..b0daa7c021 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags) + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +index e87688d666..30f7c00ab5 100644 +--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) + + /* set password in the file */ + old_mode = umask(0177); +- pfile = fopen(file_name, "a+"); ++ pfile = WRITABLEFOPEN(file_name, "a+"); + if (pfile == NULL) { + com_err(me, errno, _("Failed to open file %s: %s"), file_name, + strerror (errno)); +@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) + * Delete the existing entry and add the new entry + */ + FILE *newfile; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + mode_t omask; + +@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) + } + + omask = umask(077); ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file_name); ++#endif + newfile = fopen(tmp_file, "w"); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + umask (omask); + if (newfile == NULL) { + com_err(me, errno, _("Error creating file %s"), tmp_file); +diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c +index aa951df05f..79f9500f69 100644 +--- a/src/util/profile/prof_file.c ++++ b/src/util/profile/prof_file.c +@@ -33,6 +33,7 @@ + #endif + + #include "k5-platform.h" ++#include "k5-label.h" + + struct global_shared_profile_data { + /* This is the head of the global list of shared trees */ +@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, + + errno = 0; + +- f = fopen(new_file, "w"); ++ f = WRITABLEFOPEN(new_file, "w"); + if (!f) { + retval = errno; + if (retval == 0) +diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in +index 86d5a950a6..1052d53a1e 100644 +--- a/src/util/support/Makefile.in ++++ b/src/util/support/Makefile.in +@@ -74,6 +74,7 @@ IPC_SYMS= \ + + STLIBOBJS= \ + threads.o \ ++ selinux.o \ + init-addrinfo.o \ + plugins.o \ + errors.o \ +@@ -168,7 +169,7 @@ SRCS=\ + + SHLIB_EXPDEPS = + # Add -lm if dumping thread stats, for sqrt. +-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) ++SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + + DEPLIBS= + +diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c +new file mode 100644 +index 0000000000..807d039da3 +--- /dev/null ++++ b/src/util/support/selinux.c +@@ -0,0 +1,405 @@ ++/* ++ * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * File-opening wrappers for creating correctly-labeled files. So far, we can ++ * assume that this is Linux-specific, so we make many simplifying assumptions. ++ */ ++ ++#include "../../include/autoconf.h" ++ ++#ifdef USE_SELINUX ++ ++#include ++#include ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* #define DEBUG 1 */ ++static void ++debug_log(const char *fmt, ...) ++{ ++#ifdef DEBUG ++ va_list ap; ++ va_start(ap, fmt); ++ if (isatty(fileno(stderr))) { ++ vfprintf(stderr, fmt, ap); ++ } ++ va_end(ap); ++#endif ++ ++ return; ++} ++ ++/* Mutex used to serialize use of the process-global file creation context. */ ++k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER; ++ ++/* Make sure we finish initializing that mutex before attempting to use it. */ ++k5_once_t labeled_once = K5_ONCE_INIT; ++static void ++label_mutex_init(void) ++{ ++ k5_mutex_finish_init(&labeled_mutex); ++} ++ ++static struct selabel_handle *selabel_ctx; ++static time_t selabel_last_changed; ++ ++MAKE_FINI_FUNCTION(cleanup_fscreatecon); ++ ++static void ++cleanup_fscreatecon(void) ++{ ++ if (selabel_ctx != NULL) { ++ selabel_close(selabel_ctx); ++ selabel_ctx = NULL; ++ } ++} ++ ++static char * ++push_fscreatecon(const char *pathname, mode_t mode) ++{ ++ char *previous, *configuredsc, *currentsc, *genpath; ++ const char *derivedsc, *fullpath, *currentuser; ++ context_t current, derived; ++ ++ previous = configuredsc = currentsc = genpath = NULL; ++ derivedsc = NULL; ++ current = derived = NULL; ++ ++ fullpath = pathname; ++ ++ if (!is_selinux_enabled()) { ++ goto fail; ++ } ++ ++ if (getfscreatecon(&previous) != 0) { ++ goto fail; ++ } ++ ++ /* Canonicalize pathname */ ++ if (pathname[0] != '/') { ++ char *wd; ++ size_t len; ++ len = 0; ++ ++ wd = getcwd(NULL, len); ++ if (wd == NULL) { ++ goto fail; ++ } ++ ++ len = strlen(wd) + 1 + strlen(pathname) + 1; ++ genpath = malloc(len); ++ if (genpath == NULL) { ++ free(wd); ++ goto fail; ++ } ++ ++ sprintf(genpath, "%s/%s", wd, pathname); ++ free(wd); ++ fullpath = genpath; ++ } ++ ++ debug_log("Looking up context for \"%s\"(%05o).\n", fullpath, mode); ++ ++ /* Check whether context file has changed under us */ ++ if (selabel_ctx != NULL || selabel_last_changed == 0) { ++ const char *cpath; ++ struct stat st; ++ int i = -1; ++ ++ cpath = selinux_file_context_path(); ++ if (cpath == NULL || (i = stat(cpath, &st)) != 0 || ++ st.st_mtime != selabel_last_changed) { ++ cleanup_fscreatecon(); ++ ++ selabel_last_changed = i ? time(NULL) : st.st_mtime; ++ } ++ } ++ ++ if (selabel_ctx == NULL) { ++ selabel_ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ } ++ ++ if (selabel_ctx != NULL && ++ selabel_lookup(selabel_ctx, &configuredsc, fullpath, mode) != 0) { ++ goto fail; ++ } ++ ++ if (genpath != NULL) { ++ free(genpath); ++ genpath = NULL; ++ } ++ ++ if (configuredsc == NULL) { ++ goto fail; ++ } ++ ++ getcon(¤tsc); ++ ++ /* AAAAAAAA */ ++ if (currentsc != NULL) { ++ derived = context_new(configuredsc); ++ ++ if (derived != NULL) { ++ current = context_new(currentsc); ++ ++ if (current != NULL) { ++ currentuser = context_user_get(current); ++ ++ if (currentuser != NULL) { ++ if (context_user_set(derived, ++ currentuser) == 0) { ++ derivedsc = context_str(derived); ++ ++ if (derivedsc != NULL) { ++ freecon(configuredsc); ++ configuredsc = strdup(derivedsc); ++ } ++ } ++ } ++ ++ context_free(current); ++ } ++ ++ context_free(derived); ++ } ++ ++ freecon(currentsc); ++ } ++ ++ debug_log("Setting file creation context to \"%s\".\n", configuredsc); ++ if (setfscreatecon(configuredsc) != 0) { ++ debug_log("Unable to determine current context.\n"); ++ goto fail; ++ } ++ ++ freecon(configuredsc); ++ return previous; ++ ++fail: ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ if (genpath != NULL) { ++ free(genpath); ++ } ++ if (configuredsc != NULL) { ++ freecon(configuredsc); ++ } ++ ++ cleanup_fscreatecon(); ++ return NULL; ++} ++ ++static void ++pop_fscreatecon(char *previous) ++{ ++ if (!is_selinux_enabled()) { ++ return; ++ } ++ ++ if (previous != NULL) { ++ debug_log("Resetting file creation context to \"%s\".\n", previous); ++ } else { ++ debug_log("Resetting file creation context to default.\n"); ++ } ++ ++ /* NULL resets to default */ ++ setfscreatecon(previous); ++ ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ ++ /* Need to clean this up here otherwise it leaks */ ++ cleanup_fscreatecon(); ++} ++ ++void * ++krb5int_push_fscreatecon_for(const char *pathname) ++{ ++ struct stat st; ++ void *retval; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; ++ } ++ ++ retval = push_fscreatecon(pathname, st.st_mode); ++ return retval ? retval : (void *) -1; ++} ++ ++void ++krb5int_pop_fscreatecon(void *con) ++{ ++ if (con != NULL) { ++ pop_fscreatecon((con == (void *) -1) ? NULL : con); ++ k5_mutex_unlock(&labeled_mutex); ++ } ++} ++ ++FILE * ++krb5int_labeled_fopen(const char *path, const char *mode) ++{ ++ FILE *fp; ++ int errno_save; ++ char *ctx; ++ ++ if ((strcmp(mode, "r") == 0) || ++ (strcmp(mode, "rb") == 0)) { ++ return fopen(path, mode); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ fp = fopen(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fp; ++} ++ ++int ++krb5int_labeled_creat(const char *path, mode_t mode) ++{ ++ int fd; ++ int errno_save; ++ char *ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ fd = creat(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fd; ++} ++ ++int ++krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) ++{ ++ int ret; ++ int errno_save; ++ char *ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, mode); ++ ++ ret = mknod(path, mode, dev); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return ret; ++} ++ ++int ++krb5int_labeled_mkdir(const char *path, mode_t mode) ++{ ++ int ret; ++ int errno_save; ++ char *ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, S_IFDIR); ++ ++ ret = mkdir(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return ret; ++} ++ ++int ++krb5int_labeled_open(const char *path, int flags, ...) ++{ ++ int fd; ++ int errno_save; ++ char *ctx; ++ mode_t mode; ++ va_list ap; ++ ++ if ((flags & O_CREAT) == 0) { ++ return open(path, flags); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ va_end(ap); ++ ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fd; ++} ++ ++#endif /* USE_SELINUX */ +-- +2.45.1 + diff --git a/SOURCES/0004-downstream-fix-debuginfo-with-y.tab.c.patch b/SOURCES/0004-downstream-fix-debuginfo-with-y.tab.c.patch new file mode 100644 index 0000000..c21b269 --- /dev/null +++ b/SOURCES/0004-downstream-fix-debuginfo-with-y.tab.c.patch @@ -0,0 +1,44 @@ +From 393830d96000ed692aa9a99ef87187d6f2863931 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:49:25 -0400 +Subject: [PATCH] [downstream] fix debuginfo with y.tab.c + +We want to keep these y.tab.c files around because the debuginfo points to +them. It would be more elegant at the end to use symbolic links, but that +could mess up people working in the tree on other things. + +Last-updated: krb5-1.9 +--- + src/kadmin/cli/Makefile.in | 5 +++++ + src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in +index adfea6e2b5..d1327e400b 100644 +--- a/src/kadmin/cli/Makefile.in ++++ b/src/kadmin/cli/Makefile.in +@@ -37,3 +37,8 @@ clean-unix:: + # CC_LINK is not meant for compilation and this use may break in the future. + datetest: getdate.c + $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c ++ ++%.c: %.y ++ $(RM) y.tab.c $@ ++ $(YACC.y) $< ++ $(CP) y.tab.c $@ +diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in +index 8669c2436c..a22f23c02c 100644 +--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in ++++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in +@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) + getdate.c: $(GETDATE) + $(RM) getdate.c y.tab.c + $(YACC) $(GETDATE) +- $(MV) y.tab.c getdate.c ++ $(CP) y.tab.c getdate.c + + install: + $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) +-- +2.45.1 + diff --git a/SOURCES/0005-downstream-Remove-3des-support.patch b/SOURCES/0005-downstream-Remove-3des-support.patch new file mode 100644 index 0000000..fcdb136 --- /dev/null +++ b/SOURCES/0005-downstream-Remove-3des-support.patch @@ -0,0 +1,6205 @@ +From 7d697742abb370cfc7241c1faa78ba08d7650f6a Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 26 Mar 2019 18:51:10 -0400 +Subject: [PATCH] [downstream] Remove 3des support + +Completely remove support for all DES3 enctypes (des3-cbc-raw, +des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation +to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain +their constants. + +Last-updated: 1.21.1-final +[antorres@redhat.com: remove diffs for: + - src/kdamin/testing/proto/kdc.conf.proto + - src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp + - src/lib/kadm5/unit-test/api.current/get-principal-v2.exp + - src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp + since they were removed by Remove-TCL-based-libkadm5-API-tests.patch] +[jrische@redhat.com: restore supportedCMSTypes (not using 3DES any more): + - src/plugins/preauth/pkinit/pkinit_crypto.h + - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c + - src/plugins/preauth/pkinit/pkinit_clnt.c] +--- + doc/admin/advanced/retiring-des.rst | 11 + + doc/admin/conf_files/kdc_conf.rst | 7 +- + doc/admin/enctypes.rst | 10 +- + doc/admin/troubleshoot.rst | 9 +- + doc/appdev/refs/macros/index.rst | 1 - + doc/conf.py | 2 +- + doc/mitK5features.rst | 2 +- + src/Makefile.in | 4 +- + src/configure.ac | 4 +- + src/include/krb5/krb5.hin | 10 +- + src/kdc/kdc_util.c | 4 - + src/lib/crypto/Makefile.in | 8 +- + src/lib/crypto/builtin/Makefile.in | 4 +- + src/lib/crypto/builtin/des/ISSUES | 13 - + src/lib/crypto/builtin/des/Makefile.in | 82 ---- + src/lib/crypto/builtin/des/d3_aead.c | 137 ------ + src/lib/crypto/builtin/des/d3_kysched.c | 55 --- + src/lib/crypto/builtin/des/deps | 146 ------- + src/lib/crypto/builtin/des/des_int.h | 285 ------------- + src/lib/crypto/builtin/des/des_keys.c | 38 -- + src/lib/crypto/builtin/des/destest.c | 240 ----------- + src/lib/crypto/builtin/des/doc/libdes.doc | 208 --------- + src/lib/crypto/builtin/des/f_aead.c | 177 -------- + src/lib/crypto/builtin/des/f_cbc.c | 256 ------------ + src/lib/crypto/builtin/des/f_cksum.c | 141 ------- + src/lib/crypto/builtin/des/f_parity.c | 64 --- + src/lib/crypto/builtin/des/f_sched.c | 363 ---------------- + src/lib/crypto/builtin/des/f_tables.c | 375 ----------------- + src/lib/crypto/builtin/des/f_tables.h | 285 ------------- + src/lib/crypto/builtin/des/key_sched.c | 66 --- + src/lib/crypto/builtin/des/keytest.data | 171 -------- + src/lib/crypto/builtin/des/t_verify.c | 395 ------------------ + src/lib/crypto/builtin/des/weak_key.c | 90 ---- + .../crypto/builtin/enc_provider/Makefile.in | 5 +- + src/lib/crypto/builtin/enc_provider/deps | 11 - + src/lib/crypto/builtin/enc_provider/des3.c | 109 ----- + src/lib/crypto/crypto_tests/t_cf2.expected | 1 - + src/lib/crypto/crypto_tests/t_cf2.in | 5 - + src/lib/crypto/crypto_tests/t_cksums.c | 10 - + src/lib/crypto/crypto_tests/t_decrypt.c | 57 --- + src/lib/crypto/crypto_tests/t_derive.c | 36 -- + src/lib/crypto/crypto_tests/t_encrypt.c | 1 - + src/lib/crypto/crypto_tests/t_short.c | 1 - + src/lib/crypto/crypto_tests/t_str2key.c | 52 --- + src/lib/crypto/crypto_tests/vectors.c | 4 - + src/lib/crypto/krb/Makefile.in | 3 - + src/lib/crypto/krb/cksumtypes.c | 6 - + src/lib/crypto/krb/crypto_int.h | 11 - + src/lib/crypto/krb/default_state.c | 10 - + src/lib/crypto/krb/enctype_util.c | 3 + + src/lib/crypto/krb/etypes.c | 21 - + src/lib/crypto/krb/prf_des.c | 47 --- + src/lib/crypto/krb/random_to_key.c | 28 -- + src/lib/crypto/libk5crypto.exports | 1 - + src/lib/crypto/openssl/Makefile.in | 4 +- + src/lib/crypto/openssl/des/Makefile.in | 20 - + src/lib/crypto/openssl/des/deps | 14 - + src/lib/crypto/openssl/des/des_keys.c | 39 -- + .../crypto/openssl/enc_provider/Makefile.in | 3 - + src/lib/crypto/openssl/enc_provider/deps | 11 - + src/lib/crypto/openssl/enc_provider/des3.c | 188 --------- + src/lib/crypto/openssl/kdf.c | 2 - + src/lib/gssapi/krb5/accept_sec_context.c | 1 - + src/lib/gssapi/krb5/gssapiP_krb5.h | 6 +- + src/lib/gssapi/krb5/k5seal.c | 35 +- + src/lib/gssapi/krb5/k5sealiov.c | 27 +- + src/lib/gssapi/krb5/k5unseal.c | 88 ++-- + src/lib/gssapi/krb5/k5unsealiov.c | 38 +- + src/lib/gssapi/krb5/util_crypt.c | 11 - + src/lib/krb5/krb/init_ctx.c | 3 - + src/lib/krb5/krb/s4u_creds.c | 2 - + src/lib/krb5/krb/t_etypes.c | 48 +-- + src/lib/krb5/os/t_trace.c | 4 +- + src/lib/krb5/os/t_trace.ref | 2 +- + src/plugins/preauth/pkinit/pkcs11.h | 6 +- + src/plugins/preauth/pkinit/pkinit_crypto.h | 10 +- + src/plugins/preauth/pkinit/pkinit_kdf_test.c | 30 -- + src/plugins/preauth/spake/t_vectors.c | 25 -- + src/tests/gssapi/t_enctypes.py | 33 +- + src/tests/gssapi/t_invalid.c | 12 - + src/tests/gssapi/t_pcontok.c | 16 +- + src/tests/gssapi/t_prf.c | 7 - + src/tests/t_authdata.py | 2 +- + src/tests/t_etype_info.py | 21 +- + src/tests/t_keyrollover.py | 8 +- + src/tests/t_mkey.py | 35 -- + src/tests/t_salt.py | 5 +- + src/util/k5test.py | 7 - + .../leash/htmlhelp/html/Encryption_Types.htm | 13 - + 89 files changed, 149 insertions(+), 4712 deletions(-) + delete mode 100644 src/lib/crypto/builtin/des/ISSUES + delete mode 100644 src/lib/crypto/builtin/des/Makefile.in + delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c + delete mode 100644 src/lib/crypto/builtin/des/d3_kysched.c + delete mode 100644 src/lib/crypto/builtin/des/deps + delete mode 100644 src/lib/crypto/builtin/des/des_int.h + delete mode 100644 src/lib/crypto/builtin/des/des_keys.c + delete mode 100644 src/lib/crypto/builtin/des/destest.c + delete mode 100644 src/lib/crypto/builtin/des/doc/libdes.doc + delete mode 100644 src/lib/crypto/builtin/des/f_aead.c + delete mode 100644 src/lib/crypto/builtin/des/f_cbc.c + delete mode 100644 src/lib/crypto/builtin/des/f_cksum.c + delete mode 100644 src/lib/crypto/builtin/des/f_parity.c + delete mode 100644 src/lib/crypto/builtin/des/f_sched.c + delete mode 100644 src/lib/crypto/builtin/des/f_tables.c + delete mode 100644 src/lib/crypto/builtin/des/f_tables.h + delete mode 100644 src/lib/crypto/builtin/des/key_sched.c + delete mode 100644 src/lib/crypto/builtin/des/keytest.data + delete mode 100644 src/lib/crypto/builtin/des/t_verify.c + delete mode 100644 src/lib/crypto/builtin/des/weak_key.c + delete mode 100644 src/lib/crypto/builtin/enc_provider/des3.c + delete mode 100644 src/lib/crypto/krb/prf_des.c + delete mode 100644 src/lib/crypto/openssl/des/Makefile.in + delete mode 100644 src/lib/crypto/openssl/des/deps + delete mode 100644 src/lib/crypto/openssl/des/des_keys.c + delete mode 100644 src/lib/crypto/openssl/enc_provider/des3.c + +diff --git a/doc/admin/advanced/retiring-des.rst b/doc/admin/advanced/retiring-des.rst +index 38f76d3f45..d5e3c30c04 100644 +--- a/doc/admin/advanced/retiring-des.rst ++++ b/doc/admin/advanced/retiring-des.rst +@@ -10,6 +10,13 @@ ability have rendered DES vulnerable to brute force attacks on its 56-bit + keyspace. As such, it is now considered insecure and should not be + used (:rfc:`6649`). + ++In 1999, MIT krb5 added support for Triple-DES (3DES) encryption types. ++However, due to weakenings of DES and other security concerns, it is now also ++considered insecure and should not be used (:rfc:`8429`). AES encryption ++types were added to MIT in 2003, meaning that the number of deployments with ++3DES as the strongest encryption type is hopefully small. The rotation ++procedure described herein works for both DES and 3DES. ++ + History + ------- + +@@ -27,6 +34,10 @@ and removed DES (single-DES) support in release 1.18. As a + consequence, a release prior to 1.18 is required to perform these + migrations. + ++3DES (a flagged deprecated encryption type) was also removed downstream by ++rharwood@redhat.com starting in 1.18; likewise, a pre-1.18 release is required ++to perform these migrations. ++ + Types of keys + ------------- + +diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst +index 74a0a2acef..846c58ed82 100644 +--- a/doc/admin/conf_files/kdc_conf.rst ++++ b/doc/admin/conf_files/kdc_conf.rst +@@ -854,8 +854,6 @@ Encryption types marked as "weak" and "deprecated" are available for + compatibility but not recommended for use. + + ==================================================== ========================================================= +-des3-cbc-raw Triple DES cbc mode raw (weak) +-des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 (deprecated) + aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC + aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC + aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC +@@ -864,7 +862,6 @@ arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 (deprecat + arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) + camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC + camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC +-des3 The triple DES family: des3-cbc-sha1 + aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 + rc4 The RC4 family: arcfour-hmac + camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac +@@ -876,8 +873,8 @@ from the current list by prefixing them with a minus sign ("-"). + Types or families can be prefixed with a plus sign ("+") for symmetry; + it has the same meaning as just listing the type or family. For + example, "``DEFAULT -rc4``" would be the default set of encryption +-types with RC4 types removed, and "``des3 DEFAULT``" would be the +-default set of encryption types with triple DES types moved to the ++types with RC4 types removed, and "``aes128-sha2 DEFAULT``" would be ++the default set of encryption types with aes128-sha2 moved to the + front. + + While **aes128-cts** and **aes256-cts** are supported for all Kerberos +diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst +index 694922c0d9..c4d5499d3b 100644 +--- a/doc/admin/enctypes.rst ++++ b/doc/admin/enctypes.rst +@@ -129,7 +129,7 @@ enctype weak? krb5 Windows + des-cbc-crc weak <1.18 >=2000 + des-cbc-md4 weak <1.18 ? + des-cbc-md5 weak <1.18 >=2000 +-des3-cbc-sha1 deprecated >=1.1 none ++des3-cbc-sha1 deprecated <1.18 none + arcfour-hmac deprecated >=1.3 >=2000 + arcfour-hmac-exp weak >=1.3 >=2000 + aes128-cts-hmac-sha1-96 >=1.3 >=Vista +@@ -148,9 +148,11 @@ default. + krb5 releases 1.17 and later flag deprecated encryption types + (including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and + kadmin output. krb5 release 1.19 issues a warning during initial +-authentication if ``des3-cbc-sha1`` is used. Future releases will +-disable ``des3-cbc-sha1`` by default and eventually remove support for +-it. ++authentication if ``des3-cbc-sha1`` is used. ++ ++krb5 releases 1.18 and later remove single-DES and 3DES ++(downstream-only patch) enctype support. Microsoft Windows never ++supported 3DES. + + + Migrating away from older encryption types +diff --git a/doc/admin/troubleshoot.rst b/doc/admin/troubleshoot.rst +index ade5e1f87a..e4dc54f7e5 100644 +--- a/doc/admin/troubleshoot.rst ++++ b/doc/admin/troubleshoot.rst +@@ -73,11 +73,10 @@ credential verification failed: KDC has no support for encryption type + ...................................................................... + + This most commonly happens when trying to use a principal with only +-DES keys, in a release (MIT krb5 1.7 or later) which disables DES by +-default. DES encryption is considered weak due to its inadequate key +-size. If you cannot migrate away from its use, you can re-enable DES +-by adding ``allow_weak_crypto = true`` to the :ref:`libdefaults` +-section of :ref:`krb5.conf(5)`. ++DES/3DES keys, in a release (MIT krb5 1.7 or later) which disables DES ++by default. DES encryption is considered weak due to its inadequate ++key size and has been removed upstream; 3DES is not recommended, and ++has been removed downstream by rharwood@redhat.com. + + + .. _err_cert_chain_cert_expired: +diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst +index 45fe160d7f..b4b1f3bd93 100644 +--- a/doc/appdev/refs/macros/index.rst ++++ b/doc/appdev/refs/macros/index.rst +@@ -36,7 +36,6 @@ Public + CKSUMTYPE_HMAC_SHA1_96_AES256.rst + CKSUMTYPE_HMAC_SHA256_128_AES128.rst + CKSUMTYPE_HMAC_SHA384_192_AES256.rst +- CKSUMTYPE_HMAC_SHA1_DES3.rst + CKSUMTYPE_MD5_HMAC_ARCFOUR.rst + CKSUMTYPE_NIST_SHA.rst + CKSUMTYPE_RSA_MD4.rst +diff --git a/doc/conf.py b/doc/conf.py +index ecf9020a72..db7fa377ef 100644 +--- a/doc/conf.py ++++ b/doc/conf.py +@@ -281,7 +281,7 @@ else: + rst_epilog += ''' + .. |krb5conf| replace:: ``/etc/krb5.conf`` + .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` +-.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac`` ++.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac`` + .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96`` + .. |copy| unicode:: U+000A9 + ''' +diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst +index 10effcf175..cad0855724 100644 +--- a/doc/mitK5features.rst ++++ b/doc/mitK5features.rst +@@ -37,7 +37,7 @@ Database backends: LDAP, DB2, LMDB + + krb4 support: Kerberos 5 release < 1.8 + +-DES support: Kerberos 5 release < 1.18 (See :ref:`retiring-des`) ++DES/3DES support: Kerberos 5 release < 1.18 (See :ref:`retiring-des`) + + Interoperability + ---------------- +diff --git a/src/Makefile.in b/src/Makefile.in +index 8f14e9bf2c..ba3bb18eec 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -130,7 +130,7 @@ WINMAKEFILES=Makefile \ + lib\Makefile lib\crypto\Makefile lib\crypto\krb\Makefile \ + lib\crypto\builtin\Makefile lib\crypto\builtin\aes\Makefile \ + lib\crypto\builtin\enc_provider\Makefile \ +- lib\crypto\builtin\des\Makefile lib\crypto\builtin\md5\Makefile \ ++ lib\crypto\builtin\md5\Makefile \ + lib\crypto\builtin\camellia\Makefile lib\crypto\builtin\md4\Makefile \ + lib\crypto\builtin\hash_provider\Makefile \ + lib\crypto\builtin\sha2\Makefile lib\crypto\builtin\sha1\Makefile \ +@@ -202,8 +202,6 @@ WINMAKEFILES=Makefile \ + ##DOS## $(WCONFIG) config < $@.in > $@ + ##DOS##lib\crypto\builtin\enc_provider\Makefile: lib\crypto\builtin\enc_provider\Makefile.in $(MKFDEP) + ##DOS## $(WCONFIG) config < $@.in > $@ +-##DOS##lib\crypto\builtin\des\Makefile: lib\crypto\builtin\des\Makefile.in $(MKFDEP) +-##DOS## $(WCONFIG) config < $@.in > $@ + ##DOS##lib\crypto\builtin\md5\Makefile: lib\crypto\builtin\md5\Makefile.in $(MKFDEP) + ##DOS## $(WCONFIG) config < $@.in > $@ + ##DOS##lib\crypto\builtin\camellia\Makefile: lib\crypto\builtin\camellia\Makefile.in $(MKFDEP) +diff --git a/src/configure.ac b/src/configure.ac +index 69be9030f8..2561e917a2 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1513,12 +1513,12 @@ V5_AC_OUTPUT_MAKEFILE(. + lib lib/kdb + + lib/crypto lib/crypto/krb lib/crypto/crypto_tests +- lib/crypto/builtin lib/crypto/builtin/des ++ lib/crypto/builtin + lib/crypto/builtin/aes lib/crypto/builtin/camellia + lib/crypto/builtin/md4 lib/crypto/builtin/md5 + lib/crypto/builtin/sha1 lib/crypto/builtin/sha2 + lib/crypto/builtin/enc_provider lib/crypto/builtin/hash_provider +- lib/crypto/openssl lib/crypto/openssl/des ++ lib/crypto/openssl + lib/crypto/openssl/enc_provider lib/crypto/openssl/hash_provider + + lib/krb5 lib/krb5/error_tables lib/krb5/asn.1 lib/krb5/ccache +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index 09f800be52..c5a625db8f 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -422,8 +422,8 @@ typedef struct _krb5_crypto_iov { + #define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */ + #define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */ + #define ENCTYPE_DES_CBC_RAW 0x0004 /**< @deprecated no longer supported */ +-#define ENCTYPE_DES3_CBC_SHA 0x0005 /**< @deprecated DES-3 cbc with SHA1 */ +-#define ENCTYPE_DES3_CBC_RAW 0x0006 /**< @deprecated DES-3 cbc mode raw */ ++#define ENCTYPE_DES3_CBC_SHA 0x0005 /**< @deprecated no longer supported */ ++#define ENCTYPE_DES3_CBC_RAW 0x0006 /**< @deprecated no longer supported */ + #define ENCTYPE_DES_HMAC_SHA1 0x0008 /**< @deprecated no longer supported */ + /* PKINIT */ + #define ENCTYPE_DSA_SHA1_CMS 0x0009 /**< DSA with SHA1, CMS signature */ +@@ -432,9 +432,9 @@ typedef struct _krb5_crypto_iov { + #define ENCTYPE_RC2_CBC_ENV 0x000c /**< RC2 cbc mode, CMS enveloped data */ + #define ENCTYPE_RSA_ENV 0x000d /**< RSA encryption, CMS enveloped data */ + #define ENCTYPE_RSA_ES_OAEP_ENV 0x000e /**< RSA w/OEAP encryption, CMS enveloped data */ +-#define ENCTYPE_DES3_CBC_ENV 0x000f /**< DES-3 cbc mode, CMS enveloped data */ ++#define ENCTYPE_DES3_CBC_ENV 0x000f /**< @deprecated no longer supported */ + +-#define ENCTYPE_DES3_CBC_SHA1 0x0010 ++#define ENCTYPE_DES3_CBC_SHA1 0x0010 /**< @deprecated removed */ + #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 /**< RFC 3962 */ + #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 /**< RFC 3962 */ + #define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 /**< RFC 8009 */ +@@ -459,7 +459,7 @@ typedef struct _krb5_crypto_iov { + #define CKSUMTYPE_RSA_MD5 0x0007 + #define CKSUMTYPE_RSA_MD5_DES 0x0008 + #define CKSUMTYPE_NIST_SHA 0x0009 +-#define CKSUMTYPE_HMAC_SHA1_DES3 0x000c ++#define CKSUMTYPE_HMAC_SHA1_DES3 0x000c /* @deprecated removed */ + #define CKSUMTYPE_SHA1 0x000e /**< RFC 3961 */ + #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with + ENCTYPE_AES128_CTS_HMAC_SHA1_96 */ +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 75e04b73db..fe4e48209a 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1154,8 +1154,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) + name = "rsaEncryption-EnvOID"; + else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV) + name = "id-RSAES-OAEP-EnvOID"; +- else if (ktype == ENCTYPE_DES3_CBC_ENV) +- name = "des-ede3-cbc-EnvOID"; + else + return krb5_enctype_to_name(ktype, FALSE, buf, buflen); + +@@ -1647,8 +1645,6 @@ krb5_boolean + enctype_requires_etype_info_2(krb5_enctype enctype) + { + switch(enctype) { +- case ENCTYPE_DES3_CBC_SHA1: +- case ENCTYPE_DES3_CBC_RAW: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP : + return 0; +diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in +index 10e8c74cf8..25c4f40cc3 100644 +--- a/src/lib/crypto/Makefile.in ++++ b/src/lib/crypto/Makefile.in +@@ -10,12 +10,12 @@ LIBMINOR=1 + RELDIR=crypto + + STOBJLISTS=krb/OBJS.ST \ +- builtin/OBJS.ST builtin/des/OBJS.ST \ ++ builtin/OBJS.ST \ + builtin/aes/OBJS.ST builtin/camellia/OBJS.ST \ + builtin/md4/OBJS.ST builtin/md5/OBJS.ST \ + builtin/sha1/OBJS.ST builtin/sha2/OBJS.ST \ + builtin/enc_provider/OBJS.ST builtin/hash_provider/OBJS.ST \ +- openssl/OBJS.ST openssl/des/OBJS.ST \ ++ openssl/OBJS.ST \ + openssl/enc_provider/OBJS.ST openssl/hash_provider/OBJS.ST + + SUBDIROBJLISTS=$(STOBJLISTS) +@@ -28,8 +28,8 @@ SHLIB_EXPDEPLIBS= $(SUPPORT_DEPLIB) + SHLIB_LDFLAGS= $(LDFLAGS) @SHLIB_RPATH_DIRS@ + + ##DOS##LIBNAME=$(OUTPRE)crypto.lib +-##DOS##OBJFILEDEP=$(OUTPRE)krb.lst $(OUTPRE)aes.lst $(OUTPRE)enc_provider.lst $(OUTPRE)des.lst $(OUTPRE)md5.lst $(OUTPRE)camellia.lst $(OUTPRE)md4.lst $(OUTPRE)hash_provider.lst $(OUTPRE)sha2.lst $(OUTPRE)sha1.lst $(OUTPRE)builtin.lst +-##DOS##OBJFILELIST=@$(OUTPRE)krb.lst @$(OUTPRE)aes.lst @$(OUTPRE)enc_provider.lst @$(OUTPRE)des.lst @$(OUTPRE)md5.lst @$(OUTPRE)camellia.lst @$(OUTPRE)md4.lst @$(OUTPRE)hash_provider.lst @$(OUTPRE)sha2.lst @$(OUTPRE)sha1.lst @$(OUTPRE)builtin.lst ++##DOS##OBJFILEDEP=$(OUTPRE)krb.lst $(OUTPRE)aes.lst $(OUTPRE)enc_provider.lst $(OUTPRE)md5.lst $(OUTPRE)camellia.lst $(OUTPRE)md4.lst $(OUTPRE)hash_provider.lst $(OUTPRE)sha2.lst $(OUTPRE)sha1.lst $(OUTPRE)builtin.lst ++##DOS##OBJFILELIST=@$(OUTPRE)krb.lst @$(OUTPRE)aes.lst @$(OUTPRE)enc_provider.lst @$(OUTPRE)md5.lst @$(OUTPRE)camellia.lst @$(OUTPRE)md4.lst @$(OUTPRE)hash_provider.lst @$(OUTPRE)sha2.lst @$(OUTPRE)sha1.lst @$(OUTPRE)builtin.lst + + all-unix: all-liblinks + install-unix: install-libs +diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in +index 243bb17ba3..30bfcd30c0 100644 +--- a/src/lib/crypto/builtin/Makefile.in ++++ b/src/lib/crypto/builtin/Makefile.in +@@ -1,6 +1,6 @@ + mydir=lib$(S)crypto$(S)builtin + BUILDTOP=$(REL)..$(S)..$(S).. +-SUBDIRS=camellia des aes md4 md5 sha1 sha2 enc_provider hash_provider ++SUBDIRS=camellia aes md4 md5 sha1 sha2 enc_provider hash_provider + LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS) + + ##DOS##BUILDTOP = ..\..\.. +@@ -25,7 +25,7 @@ SRCS=\ + $(srcdir)/kdf.c \ + $(srcdir)/pbkdf2.c + +-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ ++SUBDIROBJLISTS= md4/OBJS.ST \ + md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ + enc_provider/OBJS.ST \ + hash_provider/OBJS.ST \ +diff --git a/src/lib/crypto/builtin/des/ISSUES b/src/lib/crypto/builtin/des/ISSUES +deleted file mode 100644 +index 1578911033..0000000000 +--- a/src/lib/crypto/builtin/des/ISSUES ++++ /dev/null +@@ -1,13 +0,0 @@ +-Issues to be addressed for src/lib/crypto/des: -*- text -*- +- +- +-"const" could be used in more places +- +- +-Array types are used in calling interfaces. Under ANSI C, a value of +-type "arraytype *" cannot be assigned to a variable of type "const +-arraytype *", so we get compilation warnings. +- +-Possible fix: Rewrite internal interfaces to not use arrays this way. +-Provide external routines compatible with old API, but not using +-const? +diff --git a/src/lib/crypto/builtin/des/Makefile.in b/src/lib/crypto/builtin/des/Makefile.in +deleted file mode 100644 +index 397ac87ed4..0000000000 +--- a/src/lib/crypto/builtin/des/Makefile.in ++++ /dev/null +@@ -1,82 +0,0 @@ +-mydir=lib$(S)crypto$(S)builtin$(S)des +-BUILDTOP=$(REL)..$(S)..$(S)..$(S).. +-LOCALINCLUDES=-I$(srcdir)/../../krb $(CRYPTO_IMPL_CFLAGS) +- +-##DOS##BUILDTOP = ..\..\..\.. +-##DOS##PREFIXDIR = builtin\des +-##DOS##OBJFILE = ..\..\$(OUTPRE)des.lst +- +-STLIBOBJS=\ +- d3_aead.o \ +- d3_kysched.o \ +- des_keys.o \ +- f_aead.o \ +- f_cksum.o \ +- f_parity.o \ +- f_sched.o \ +- f_tables.o \ +- key_sched.o \ +- weak_key.o +- +-OBJS= $(OUTPRE)d3_aead.$(OBJEXT) \ +- $(OUTPRE)d3_kysched.$(OBJEXT) \ +- $(OUTPRE)des_keys.$(OBJEXT) \ +- $(OUTPRE)f_aead.$(OBJEXT) \ +- $(OUTPRE)f_cksum.$(OBJEXT) \ +- $(OUTPRE)f_parity.$(OBJEXT) \ +- $(OUTPRE)f_sched.$(OBJEXT) \ +- $(OUTPRE)f_tables.$(OBJEXT) \ +- $(OUTPRE)key_sched.$(OBJEXT) \ +- $(OUTPRE)weak_key.$(OBJEXT) +- +-SRCS= $(srcdir)/d3_aead.c \ +- $(srcdir)/d3_kysched.c \ +- $(srcdir)/des_keys.c \ +- $(srcdir)/f_aead.c \ +- $(srcdir)/f_cksum.c \ +- $(srcdir)/f_parity.c \ +- $(srcdir)/f_sched.c \ +- $(srcdir)/f_tables.c \ +- $(srcdir)/key_sched.c \ +- $(srcdir)/weak_key.c +- +-EXTRADEPSRCS = $(srcdir)/destest.c $(srcdir)/f_cbc.c $(srcdir)/t_verify.c +- +-##DOS##LIBOBJS = $(OBJS) +- +-TOBJS = $(OUTPRE)key_sched.$(OBJEXT) $(OUTPRE)f_sched.$(OBJEXT) \ +- $(OUTPRE)f_cbc.$(OBJEXT) $(OUTPRE)f_tables.$(OBJEXT) \ +- $(OUTPRE)f_cksum.$(OBJEXT) +- +-verify$(EXEEXT): t_verify.$(OBJEXT) $(TOBJS) f_parity.$(OBJEXT) \ +- $(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB) +- $(CC_LINK) -o $@ t_verify.$(OBJEXT) $(TOBJS) f_parity.$(OBJEXT) \ +- $(COM_ERR_LIB) $(SUPPORT_LIB) +- +-destest$(EXEEXT): destest.$(OBJEXT) $(TOBJS) $(SUPPORT_DEPLIB) +- $(CC_LINK) -o $@ destest.$(OBJEXT) $(TOBJS) $(SUPPORT_LIB) +- +-all-unix: all-libobjs +- +-check-unix: check-unix-@CRYPTO_BUILTIN_TESTS@ +-check-unix-no: +-check-unix-yes: verify destest +- $(RUN_TEST) ./verify -z +- $(RUN_TEST) ./verify -m +- $(RUN_TEST) ./verify +- $(RUN_TEST) ./destest < $(srcdir)/keytest.data +- +-includes: depend +- +-depend: $(SRCS) +- +-check-windows: +- +-clean: +- $(RM) destest.$(OBJEXT) destest$(EXEEXT) verify$(EXEEXT) \ +- t_verify.$(OBJEXT) $(TOBJS) +- +-clean-unix:: clean-libobjs +- +-@libobj_frag@ +- +diff --git a/src/lib/crypto/builtin/des/d3_aead.c b/src/lib/crypto/builtin/des/d3_aead.c +deleted file mode 100644 +index fb83f73b43..0000000000 +--- a/src/lib/crypto/builtin/des/d3_aead.c ++++ /dev/null +@@ -1,137 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* +- * Copyright (C) 2008 by the Massachusetts Institute of Technology. +- * Copyright 1995 by Richard P. Basch. All Rights Reserved. +- * Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used +- * in advertising or publicity pertaining to distribution of the software +- * without specific, written prior permission. Richard P. Basch, +- * Lehman Brothers and M.I.T. make no representations about the suitability +- * of this software for any purpose. It is provided "as is" without +- * express or implied warranty. +- */ +- +-#include "crypto_int.h" +-#include "des_int.h" +-#include "f_tables.h" +- +-#ifdef K5_BUILTIN_DES +- +-void +-krb5int_des3_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data, +- const mit_des_key_schedule ks1, +- const mit_des_key_schedule ks2, +- const mit_des_key_schedule ks3, +- mit_des_cblock ivec) +-{ +- unsigned DES_INT32 left, right; +- const unsigned DES_INT32 *kp1, *kp2, *kp3; +- const unsigned char *ip; +- struct iov_cursor cursor; +- unsigned char block[MIT_DES_BLOCK_LENGTH]; +- +- /* Get key pointers here. These won't need to be reinitialized. */ +- kp1 = (const unsigned DES_INT32 *)ks1; +- kp2 = (const unsigned DES_INT32 *)ks2; +- kp3 = (const unsigned DES_INT32 *)ks3; +- +- /* Initialize left and right with the contents of the initial vector. */ +- ip = (ivec != NULL) ? ivec : mit_des_zeroblock; +- left = load_32_be(ip); +- right = load_32_be(ip + 4); +- +- k5_iov_cursor_init(&cursor, data, num_data, MIT_DES_BLOCK_LENGTH, FALSE); +- while (k5_iov_cursor_get(&cursor, block)) { +- /* xor this block with the previous ciphertext. */ +- left ^= load_32_be(block); +- right ^= load_32_be(block + 4); +- +- /* Encrypt what we have and store it back into block. */ +- DES_DO_ENCRYPT(left, right, kp1); +- DES_DO_DECRYPT(left, right, kp2); +- DES_DO_ENCRYPT(left, right, kp3); +- store_32_be(left, block); +- store_32_be(right, block + 4); +- +- k5_iov_cursor_put(&cursor, block); +- } +- +- if (ivec != NULL) { +- store_32_be(left, ivec); +- store_32_be(right, ivec + 4); +- } +-} +- +-void +-krb5int_des3_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data, +- const mit_des_key_schedule ks1, +- const mit_des_key_schedule ks2, +- const mit_des_key_schedule ks3, +- mit_des_cblock ivec) +-{ +- unsigned DES_INT32 left, right; +- const unsigned DES_INT32 *kp1, *kp2, *kp3; +- const unsigned char *ip; +- unsigned DES_INT32 ocipherl, ocipherr; +- unsigned DES_INT32 cipherl, cipherr; +- struct iov_cursor cursor; +- unsigned char block[MIT_DES_BLOCK_LENGTH]; +- +- /* Get key pointers here. These won't need to be reinitialized. */ +- kp1 = (const unsigned DES_INT32 *)ks1; +- kp2 = (const unsigned DES_INT32 *)ks2; +- kp3 = (const unsigned DES_INT32 *)ks3; +- +- /* +- * Decrypting is harder than encrypting because of +- * the necessity of remembering a lot more things. +- * Should think about this a little more... +- */ +- +- /* Prime the old cipher with ivec.*/ +- ip = (ivec != NULL) ? ivec : mit_des_zeroblock; +- ocipherl = load_32_be(ip); +- ocipherr = load_32_be(ip + 4); +- +- k5_iov_cursor_init(&cursor, data, num_data, MIT_DES_BLOCK_LENGTH, FALSE); +- while (k5_iov_cursor_get(&cursor, block)) { +- /* Split this block into left and right. */ +- cipherl = left = load_32_be(block); +- cipherr = right = load_32_be(block + 4); +- +- /* Decrypt and xor with the old cipher to get plain text. */ +- DES_DO_DECRYPT(left, right, kp3); +- DES_DO_ENCRYPT(left, right, kp2); +- DES_DO_DECRYPT(left, right, kp1); +- left ^= ocipherl; +- right ^= ocipherr; +- +- /* Store the encrypted halves back into block. */ +- store_32_be(left, block); +- store_32_be(right, block + 4); +- +- /* Save current cipher block halves. */ +- ocipherl = cipherl; +- ocipherr = cipherr; +- +- k5_iov_cursor_put(&cursor, block); +- } +- +- if (ivec != NULL) { +- store_32_be(ocipherl, ivec); +- store_32_be(ocipherr, ivec + 4); +- } +-} +- +-#endif /* K5_BUILTIN_DES */ +diff --git a/src/lib/crypto/builtin/des/d3_kysched.c b/src/lib/crypto/builtin/des/d3_kysched.c +deleted file mode 100644 +index 55fb9449b5..0000000000 +--- a/src/lib/crypto/builtin/des/d3_kysched.c ++++ /dev/null +@@ -1,55 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* +- * Copyright 1995 by Richard P. Basch. All Rights Reserved. +- * Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used +- * in advertising or publicity pertaining to distribution of the software +- * without specific, written prior permission. Richard P. Basch, +- * Lehman Brothers and M.I.T. make no representations about the suitability +- * of this software for any purpose. It is provided "as is" without +- * express or implied warranty. +- */ +- +-#include "crypto_int.h" +-#include "des_int.h" +- +-#ifdef K5_BUILTIN_DES +- +-int +-mit_des3_key_sched(mit_des3_cblock k, mit_des3_key_schedule schedule) +-{ +- mit_des_make_key_sched(k[0],schedule[0]); +- mit_des_make_key_sched(k[1],schedule[1]); +- mit_des_make_key_sched(k[2],schedule[2]); +- +- if (!mit_des_check_key_parity(k[0])) /* bad parity --> return -1 */ +- return(-1); +- if (mit_des_is_weak_key(k[0])) +- return(-2); +- +- if (!mit_des_check_key_parity(k[1])) +- return(-1); +- if (mit_des_is_weak_key(k[1])) +- return(-2); +- +- if (!mit_des_check_key_parity(k[2])) +- return(-1); +- if (mit_des_is_weak_key(k[2])) +- return(-2); +- +- /* if key was good, return 0 */ +- return 0; +-} +- +-#endif /* K5_BUILTIN_DES */ +diff --git a/src/lib/crypto/builtin/des/deps b/src/lib/crypto/builtin/des/deps +deleted file mode 100644 +index 1c1239d696..0000000000 +--- a/src/lib/crypto/builtin/des/deps ++++ /dev/null +@@ -1,146 +0,0 @@ +-# +-# Generated makefile dependencies follow. +-# +-d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ +- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ +- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- d3_aead.c des_int.h f_tables.h +-d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h d3_kysched.c des_int.h +-des_keys.so des_keys.po $(OUTPRE)des_keys.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_int.h des_keys.c +-f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ +- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ +- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- des_int.h f_aead.c f_tables.h +-f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ +- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ +- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- des_int.h f_cksum.c f_tables.h +-f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_int.h f_parity.c +-f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ +- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ +- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- des_int.h f_sched.c +-f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_int.h f_tables.c \ +- f_tables.h +-key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_int.h key_sched.c +-weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_int.h weak_key.c +-destest.so destest.po $(OUTPRE)destest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ +- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_int.h destest.c +-f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ +- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_int.h f_cbc.c \ +- f_tables.h +-t_verify.so t_verify.po $(OUTPRE)t_verify.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- des_int.h t_verify.c +diff --git a/src/lib/crypto/builtin/des/des_int.h b/src/lib/crypto/builtin/des/des_int.h +deleted file mode 100644 +index f8dc6b296a..0000000000 +--- a/src/lib/crypto/builtin/des/des_int.h ++++ /dev/null +@@ -1,285 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/builtin/des/des_int.h */ +-/* +- * Copyright 1987, 1988, 1990, 2002 by the Massachusetts Institute of +- * Technology. All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +-/* +- * Copyright (C) 1998 by the FundsXpress, INC. +- * +- * All rights reserved. +- * +- * Export of this software from the United States of America may require +- * a specific license from the United States Government. It is the +- * responsibility of any person or organization contemplating export to +- * obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of FundsXpress. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. FundsXpress makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- * +- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR +- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED +- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. +- */ +- +-/* Private include file for the Data Encryption Standard library. */ +- +-/* only do the whole thing once */ +-#ifndef DES_INTERNAL_DEFS +-#define DES_INTERNAL_DEFS +- +-#include "k5-int.h" +-/* +- * Begin "mit-des.h" +- */ +-#ifndef KRB5_MIT_DES__ +-#define KRB5_MIT_DES__ +- +-#if defined(__MACH__) && defined(__APPLE__) +-#include +-#include +-#if TARGET_RT_MAC_CFM +-#error "Use KfM 4.0 SDK headers for CFM compilation." +-#endif +-#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS) +-#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5 +-#endif +-#endif /* defined(__MACH__) && defined(__APPLE__) */ +- +-/* Macro to add deprecated attribute to DES types and functions */ +-/* Currently only defined on macOS 10.5 and later. */ +-#ifndef KRB5INT_DES_DEPRECATED +-#define KRB5INT_DES_DEPRECATED +-#endif +- +-#include +- +-#if UINT_MAX >= 0xFFFFFFFFUL +-#define DES_INT32 int +-#define DES_UINT32 unsigned int +-#else +-#define DES_INT32 long +-#define DES_UINT32 unsigned long +-#endif +- +-typedef unsigned char des_cblock[8] /* crypto-block size */ +-KRB5INT_DES_DEPRECATED; +- +-/* +- * Key schedule. +- * +- * This used to be +- * +- * typedef struct des_ks_struct { +- * union { DES_INT32 pad; des_cblock _;} __; +- * } des_key_schedule[16]; +- * +- * but it would cause trouble if DES_INT32 were ever more than 4 +- * bytes. The reason is that all the encryption functions cast it to +- * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If +- * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the +- * caller-allocated des_key_schedule will be overflowed by the key +- * scheduling functions. We can't assume that every platform will +- * have an exact 32-bit int, and nothing should be looking inside a +- * des_key_schedule anyway. +- */ +-typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16] +-KRB5INT_DES_DEPRECATED; +- +-typedef des_cblock mit_des_cblock; +-typedef des_key_schedule mit_des_key_schedule; +- +-/* Triple-DES structures */ +-typedef mit_des_cblock mit_des3_cblock[3]; +-typedef mit_des_key_schedule mit_des3_key_schedule[3]; +- +-#define MIT_DES_ENCRYPT 1 +-#define MIT_DES_DECRYPT 0 +- +-typedef struct mit_des_ran_key_seed { +- krb5_encrypt_block eblock; +- krb5_data sequence; +-} mit_des_random_state; +- +-/* the first byte of the key is already in the keyblock */ +- +-#define MIT_DES_BLOCK_LENGTH (8*sizeof(krb5_octet)) +-/* This used to be 8*sizeof(krb5_octet) */ +-#define MIT_DES_KEYSIZE 8 +- +-#define MIT_DES_CBC_CKSUM_LENGTH (4*sizeof(krb5_octet)) +- +-#endif /* KRB5_MIT_DES__ */ +-/* +- * End "mit-des.h" +- */ +- +-/* afsstring2key.c */ +-krb5_error_code mit_afs_string_to_key(krb5_keyblock *keyblock, +- const krb5_data *data, +- const krb5_data *salt); +-char *mit_afs_crypt(const char *pw, const char *salt, char *iobuf); +- +-/* f_cksum.c */ +-unsigned long mit_des_cbc_cksum(const krb5_octet *, krb5_octet *, +- unsigned long, const mit_des_key_schedule, +- const krb5_octet *); +- +-/* f_cbc.c (used by test programs) */ +-int +-mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, +- unsigned long length, const mit_des_key_schedule schedule, +- const mit_des_cblock ivec, int enc); +- +-#define mit_des_zeroblock krb5int_c_mit_des_zeroblock +-extern const mit_des_cblock mit_des_zeroblock; +- +-/* fin_rndkey.c */ +-krb5_error_code mit_des_finish_random_key(const krb5_encrypt_block *, +- krb5_pointer *); +- +-/* finish_key.c */ +-krb5_error_code mit_des_finish_key(krb5_encrypt_block *); +- +-/* init_rkey.c */ +-krb5_error_code mit_des_init_random_key(const krb5_encrypt_block *, +- const krb5_keyblock *, +- krb5_pointer *); +- +-/* key_parity.c */ +-void mit_des_fixup_key_parity(mit_des_cblock); +-int mit_des_check_key_parity(mit_des_cblock); +- +-/* key_sched.c */ +-int mit_des_key_sched(mit_des_cblock, mit_des_key_schedule); +- +-/* process_ky.c */ +-krb5_error_code mit_des_process_key(krb5_encrypt_block *, +- const krb5_keyblock *); +- +-/* random_key.c */ +-krb5_error_code mit_des_random_key(const krb5_encrypt_block *, +- krb5_pointer, krb5_keyblock **); +- +-/* string2key.c */ +-krb5_error_code mit_des_string_to_key(const krb5_encrypt_block *, +- krb5_keyblock *, const krb5_data *, +- const krb5_data *); +-krb5_error_code mit_des_string_to_key_int(krb5_keyblock *, const krb5_data *, +- const krb5_data *); +- +-/* weak_key.c */ +-int mit_des_is_weak_key(mit_des_cblock); +- +-/* cmb_keys.c */ +-krb5_error_code mit_des_combine_subkeys(const krb5_keyblock *, +- const krb5_keyblock *, +- krb5_keyblock **); +- +-/* f_pcbc.c */ +-int mit_des_pcbc_encrypt(); +- +-/* f_sched.c */ +-int mit_des_make_key_sched(mit_des_cblock, mit_des_key_schedule); +- +- +-/* misc.c */ +-extern void swap_bits(char *); +-extern unsigned long long_swap_bits(unsigned long); +-extern unsigned long swap_six_bits_to_ansi(unsigned long); +-extern unsigned long swap_four_bits_to_ansi(unsigned long); +-extern unsigned long swap_bit_pos_1(unsigned long); +-extern unsigned long swap_bit_pos_0(unsigned long); +-extern unsigned long swap_bit_pos_0_to_ansi(unsigned long); +-extern unsigned long rev_swap_bit_pos_0(unsigned long); +-extern unsigned long swap_byte_bits(unsigned long); +-extern unsigned long swap_long_bytes_bit_number(unsigned long); +-#ifdef FILE +-/* XXX depends on FILE being a #define! */ +-extern void test_set(FILE *, const char *, int, const char *, int); +-#endif +- +-void +-krb5int_des3_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data, +- const mit_des_key_schedule ks1, +- const mit_des_key_schedule ks2, +- const mit_des_key_schedule ks3, +- mit_des_cblock ivec); +- +-void +-krb5int_des3_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data, +- const mit_des_key_schedule ks1, +- const mit_des_key_schedule ks2, +- const mit_des_key_schedule ks3, +- mit_des_cblock ivec); +- +-void +-krb5int_des_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data, +- const mit_des_key_schedule schedule, +- mit_des_cblock ivec); +- +-void +-krb5int_des_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data, +- const mit_des_key_schedule schedule, +- mit_des_cblock ivec); +- +-void +-krb5int_des_cbc_mac(const krb5_crypto_iov *data, unsigned long num_data, +- const mit_des_key_schedule schedule, mit_des_cblock ivec, +- mit_des_cblock out); +- +-/* d3_procky.c */ +-krb5_error_code mit_des3_process_key(krb5_encrypt_block *eblock, +- const krb5_keyblock *keyblock); +- +-/* d3_kysched.c */ +-int mit_des3_key_sched(mit_des3_cblock key, mit_des3_key_schedule schedule); +- +-/* d3_str2ky.c */ +-krb5_error_code mit_des3_string_to_key(const krb5_encrypt_block *eblock, +- krb5_keyblock *keyblock, +- const krb5_data *data, +- const krb5_data *salt); +- +-/* u_nfold.c */ +-krb5_error_code mit_des_n_fold(const krb5_octet *input, const size_t in_len, +- krb5_octet *output, const size_t out_len); +- +-/* u_rn_key.c */ +-int mit_des_is_weak_keyblock(krb5_keyblock *keyblock); +- +-void mit_des_fixup_keyblock_parity(krb5_keyblock *keyblock); +- +-krb5_error_code mit_des_set_random_generator_seed(const krb5_data *seed, +- krb5_pointer random_state); +- +-krb5_error_code mit_des_set_random_sequence_number(const krb5_data *sequence, +- krb5_pointer random_state); +-#endif /*DES_INTERNAL_DEFS*/ +diff --git a/src/lib/crypto/builtin/des/des_keys.c b/src/lib/crypto/builtin/des/des_keys.c +deleted file mode 100644 +index 027b09d728..0000000000 +--- a/src/lib/crypto/builtin/des/des_keys.c ++++ /dev/null +@@ -1,38 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/builtin/des/des_keys.c - Key functions used by Kerberos code */ +-/* +- * Copyright (C) 2011 by the Massachusetts Institute of Technology. +- * All rights reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-#include "crypto_int.h" +-#include "des_int.h" +- +-#ifdef K5_BUILTIN_DES_KEY_PARITY +- +-void +-k5_des_fixup_key_parity(unsigned char *keybits) +-{ +- mit_des_fixup_key_parity(keybits); +-} +- +-#endif /* K5_BUILTIN_DES_KEY_PARITY */ +diff --git a/src/lib/crypto/builtin/des/destest.c b/src/lib/crypto/builtin/des/destest.c +deleted file mode 100644 +index 52114304e3..0000000000 +--- a/src/lib/crypto/builtin/des/destest.c ++++ /dev/null +@@ -1,240 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/builtin/des/destest.c */ +-/* +- * Copyright 1990,1991 by the Massachusetts Institute of Technology. +- * All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +-/* +- * Copyright (C) 1998 by the FundsXpress, INC. +- * +- * All rights reserved. +- * +- * Export of this software from the United States of America may require +- * a specific license from the United States Government. It is the +- * responsibility of any person or organization contemplating export to +- * obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of FundsXpress. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. FundsXpress makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- * +- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR +- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED +- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. +- */ +- +-/* Test a DES implementation against known inputs & outputs. */ +- +-#include "des_int.h" +-#include +-#include +- +-void convert (char *, unsigned char []); +- +-void des_cblock_print_file (mit_des_cblock, FILE *); +- +-krb5_octet zeroblock[8] = {0,0,0,0,0,0,0,0}; +- +-int +-main(argc, argv) +- int argc; +- char *argv[]; +-{ +- char block1[17], block2[17], block3[17]; +- /* Force tests of unaligned accesses. */ +- union { unsigned char c[8*4+3]; long l; } u; +- unsigned char *ioblocks = u.c; +- unsigned char *input = ioblocks+1; +- unsigned char *output = ioblocks+10; +- unsigned char *output2 = ioblocks+19; +- unsigned char *key = ioblocks+27; +- mit_des_key_schedule sched; +- int num = 0; +- int retval; +- +- int error = 0; +- +- while (scanf("%16s %16s %16s", block1, block2, block3) == 3) { +- convert(block1, key); +- convert(block2, input); +- convert(block3, output); +- +- retval = mit_des_key_sched(key, sched); +- if (retval) { +- fprintf(stderr, "des test: can't process key: %d\n", retval); +- fprintf(stderr, "des test: %s %s %s\n", block1, block2, block3); +- exit(1); +- } +- mit_des_cbc_encrypt((const mit_des_cblock *) input, +- (mit_des_cblock *) output2, 8, +- sched, zeroblock, 1); +- +- if (memcmp((char *)output2, (char *)output, 8)) { +- fprintf(stderr, +- "DES ENCRYPT ERROR, key %s, text %s, real cipher %s, computed cyphertext %02X%02X%02X%02X%02X%02X%02X%02X\n", +- block1, block2, block3, +- output2[0],output2[1],output2[2],output2[3], +- output2[4],output2[5],output2[6],output2[7]); +- error++; +- } +- +- /* +- * Now try decrypting.... +- */ +- mit_des_cbc_encrypt((const mit_des_cblock *) output, +- (mit_des_cblock *) output2, 8, +- sched, zeroblock, 0); +- +- if (memcmp((char *)output2, (char *)input, 8)) { +- fprintf(stderr, +- "DES DECRYPT ERROR, key %s, text %s, real cipher %s, computed cleartext %02X%02X%02X%02X%02X%02X%02X%02X\n", +- block1, block2, block3, +- output2[0],output2[1],output2[2],output2[3], +- output2[4],output2[5],output2[6],output2[7]); +- error++; +- } +- +- num++; +- } +- +- if (error) +- printf("destest: failed to pass the test\n"); +- else +- printf("destest: %d tests passed successfully\n", num); +- +- exit( (error > 256 && error % 256) ? 1 : error); +-} +- +-int value[128] = { +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- 0, 1, 2, 3, 4, 5, 6, 7, +- 8, 9, -1, -1, -1, -1, -1, -1, +- -1, 10, 11, 12, 13, 14, 15, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, -1, -1, +-}; +- +-void +-convert(text, cblock) +- char *text; +- unsigned char cblock[]; +-{ +- int i; +- for (i = 0; i < 8; i++) { +- if (!isascii((unsigned char)text[i * 2])) +- abort (); +- if (value[(int) text[i*2]] == -1 || value[(int) text[i*2+1]] == -1) { +- printf("Bad value byte %d in %s\n", i, text); +- exit(1); +- } +- cblock[i] = 16*value[(int) text[i*2]] + value[(int) text[i*2+1]]; +- } +- return; +-} +- +-/* +- * Fake out the DES library, for the purposes of testing. +- */ +- +-int +-mit_des_is_weak_key(key) +- mit_des_cblock key; +-{ +- return 0; /* fake it out for testing */ +-} +- +-void +-des_cblock_print_file(x, fp) +- mit_des_cblock x; +- FILE *fp; +-{ +- unsigned char *y = (unsigned char *) x; +- int i = 0; +- fprintf(fp," 0x { "); +- +- while (i++ < 8) { +- fprintf(fp,"%x",*y++); +- if (i < 8) +- fprintf(fp,", "); +- } +- fprintf(fp," }"); +-} +- +- +-#define smask(step) ((1<>step)&smask(step))) +-#define parity_char(x) pstep(pstep(pstep((x),4),2),1) +- +-/* +- * des_check_key_parity: returns true iff key has the correct des parity. +- * See des_fix_key_parity for the definition of +- * correct des parity. +- */ +-int +-mit_des_check_key_parity(key) +- mit_des_cblock key; +-{ +- unsigned int i; +- +- for (i=0; i decrypt, else encrypt */ +- Key_schedule schedule; /* addr of key schedule */ +- +-This is the low level routine that encrypts or decrypts a single 8-byte +-block in electronic code book mode. Always transforms the input +-data into the output data. +- +-If encrypt is non-zero, the input (cleartext) is encrypted into the +-output (ciphertext) using the specified key_schedule, pre-set via "des_set_key". +- +-If encrypt is zero, the input (now ciphertext) is decrypted into +-the output (now cleartext). +- +-Input and output may be the same space. +- +-Does not return any meaningful value. Void is not used for compatibility +-with other compilers. +- +-/* -------------------------------------------------------------- */ +- +-int +- cbc_encrypt(input,output,length,schedule,ivec,encrypt) +- +- C_Block *input; /* ptr to input data */ +- C_Block *output; /* ptr to output data */ +- int length; /* desired length, in bytes */ +- Key_schedule schedule; /* addr of precomputed schedule */ +- C_Block *ivec; /* pointer to 8 byte initialization +- * vector +- */ +- int encrypt /* 0 ==> decrypt; else encrypt*/ +- +- +- If encrypt is non-zero, the routine cipher-block-chain encrypts +- the INPUT (cleartext) into the OUTPUT (ciphertext) using the provided +- key schedule and initialization vector. If the length is not an integral +- multiple of eight bytes, the last block is copied to a temp and zero +- filled (highest addresses). The output is ALWAYS an integral multiple +- of eight bytes. +- +- If encrypt is zero, the routine cipher-block chain decrypts the INPUT +- (ciphertext) into the OUTPUT (cleartext) using the provided key schedule +- and initialization vector. Decryption ALWAYS operates on integral +- multiples of 8 bytes, so will round the length provided up to the +- appropriate multiple. Consequently, it will always produce the rounded-up +- number of bytes of output cleartext. The application must determine if +- the output cleartext was zero-padded due to cleartext lengths not integral +- multiples of 8. +- +- No errors or meaningful value are returned. Void is not used for +- compatibility with other compilers. +- +- +-/* cbc checksum (MAC) only routine ---------------------------------------- */ +-int +- cbc_cksum(input,output,length,schedule,ivec) +- +- C_Block *input; /* >= length bytes of inputtext */ +- C_Block *output; /* >= length bytes of outputtext */ +- int length; /* in bytes */ +- Key_schedule schedule; /* precomputed key schedule */ +- C_Block *ivec; /* 8 bytes of ivec */ +- +- +- Produces a cryptographic checksum, 8 bytes, by cipher-block-chain +- encrypting the input, discarding the ciphertext output, and only retaining +- the last ciphertext 8-byte block. Uses the provided key schedule and ivec. +- The input is effectively zero-padded to an integral multiple of +- eight bytes, though the original input is not modified. +- +- No meaningful value is returned. Void is not used for compatibility +- with other compilers. +- +- +-/* random_key ----------------------------------------*/ +-int +- random_key(key) +- +- C_Block *key; +- +- The start for the random number generated is set from the current time +- in microseconds, then the random number generator is invoked +- to create an eight byte output key (not a schedule). The key +- generated is set to odd parity per FIPS spec. +- +- The caller must supply space for the output key, pointed to +- by "*key", then after getting a new key, call the des_set_key() +- routine when needed. +- +- No meaningful value is returned. Void is not used for compatibility +- with other compilers. +- +- +-/* string_to_key --------------------------------------------*/ +- +-int +- string_to_key(str,key) +- char *str; +- C_Block *key; +- +- This routines converts an arbitrary length, null terminated string +- to an 8 byte DES key, with each byte parity set to odd, per FIPS spec. +- +- The algorithm is as follows: +- +-| Take the first 8 bytes and remove the parity (leaving 56 bits). +-| Do the same for the second 8 bytes, and the third, etc. Do this for +-| as many sets of 8 bytes as necessary, filling in the remainder of the +-| last set with nulls. Fold the second set back on the first (i.e. bit +-| 0 over bit 55, and bit 55 over bit 0). Fold the third over the second +-| (bit 0 of the third set is now over bit 0 of the first set). Repeat +-| until you have done this to all sets. Xor the folded sets. Break the +-| result into 8 7 bit bytes, and generate odd parity for each byte. You +-| now have 64 bits. Note that DES takes a 64 bit key, and uses only the +-| non parity bits. +- +- +-/* read_password -------------------------------------------*/ +- +-read_password(k,prompt,verify) +- C_Block *k; +- char *prompt; +- int verify; +- +-This routine issues the supplied prompt, turns off echo, if possible, and +-reads an input string. If verify is non-zero, it does it again, for use +-in applications such as changing a password. If verify is non-zero, both +-versions are compared, and the input is requested repeatedly until they +-match. Then, the input string is mapped into a valid DES key, internally +-using the string_to_key routine. The newly created key is copied to the +-area pointed to by parameter "k". +- +-No meaningful value is returned. If an error occurs trying to manipulate +-the terminal echo, the routine forces the process to exit. +- +-/* get_line ------------------------*/ +-long get_line(p,max) +- char *p; +- long max; +- +-Reads input characters from standard input until either a newline appears or +-else the max length is reached. The characters read are stuffed into +-the string pointed to, which will always be null terminated. The newline +-is not inserted in the string. The max parameter includes the byte needed +-for the null terminator, so allocate and pass one more than the maximum +-string length desired. +diff --git a/src/lib/crypto/builtin/des/f_aead.c b/src/lib/crypto/builtin/des/f_aead.c +deleted file mode 100644 +index f887735820..0000000000 +--- a/src/lib/crypto/builtin/des/f_aead.c ++++ /dev/null +@@ -1,177 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* +- * Copyright (C) 2008 by the Massachusetts Institute of Technology. +- * Copyright 1995 by Richard P. Basch. All Rights Reserved. +- * Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used +- * in advertising or publicity pertaining to distribution of the software +- * without specific, written prior permission. Richard P. Basch, +- * Lehman Brothers and M.I.T. make no representations about the suitability +- * of this software for any purpose. It is provided "as is" without +- * express or implied warranty. +- */ +- +-#include "crypto_int.h" +-#include "des_int.h" +-#include "f_tables.h" +- +-#ifdef K5_BUILTIN_DES +- +-const mit_des_cblock mit_des_zeroblock /* = all zero */; +- +-void +-krb5int_des_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data, +- const mit_des_key_schedule schedule, +- mit_des_cblock ivec) +-{ +- unsigned DES_INT32 left, right; +- const unsigned DES_INT32 *kp; +- const unsigned char *ip; +- struct iov_cursor cursor; +- unsigned char block[MIT_DES_BLOCK_LENGTH]; +- +- /* Get key pointer here. This won't need to be reinitialized. */ +- kp = (const unsigned DES_INT32 *)schedule; +- +- /* Initialize left and right with the contents of the initial vector. */ +- ip = (ivec != NULL) ? ivec : mit_des_zeroblock; +- left = load_32_be(ip); +- right = load_32_be(ip + 4); +- +- k5_iov_cursor_init(&cursor, data, num_data, MIT_DES_BLOCK_LENGTH, FALSE); +- while (k5_iov_cursor_get(&cursor, block)) { +- /* Decompose this block and xor it with the previous ciphertext. */ +- left ^= load_32_be(block); +- right ^= load_32_be(block + 4); +- +- /* Encrypt what we have and put back into block. */ +- DES_DO_ENCRYPT(left, right, kp); +- store_32_be(left, block); +- store_32_be(right, block + 4); +- +- k5_iov_cursor_put(&cursor, block); +- } +- +- if (ivec != NULL) { +- store_32_be(left, ivec); +- store_32_be(right, ivec + 4); +- } +-} +- +-void +-krb5int_des_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data, +- const mit_des_key_schedule schedule, +- mit_des_cblock ivec) +-{ +- unsigned DES_INT32 left, right; +- const unsigned DES_INT32 *kp; +- const unsigned char *ip; +- unsigned DES_INT32 ocipherl, ocipherr; +- unsigned DES_INT32 cipherl, cipherr; +- struct iov_cursor cursor; +- unsigned char block[MIT_DES_BLOCK_LENGTH]; +- +- /* Get key pointer here. This won't need to be reinitialized. */ +- kp = (const unsigned DES_INT32 *)schedule; +- +- /* +- * Decrypting is harder than encrypting because of +- * the necessity of remembering a lot more things. +- * Should think about this a little more... +- */ +- +- /* Prime the old cipher with ivec. */ +- ip = (ivec != NULL) ? ivec : mit_des_zeroblock; +- ocipherl = load_32_be(ip); +- ocipherr = load_32_be(ip + 4); +- +- k5_iov_cursor_init(&cursor, data, num_data, MIT_DES_BLOCK_LENGTH, FALSE); +- while (k5_iov_cursor_get(&cursor, block)) { +- /* Split this block into left and right. */ +- cipherl = left = load_32_be(block); +- cipherr = right = load_32_be(block + 4); +- +- /* Decrypt and xor with the old cipher to get plain text. */ +- DES_DO_DECRYPT(left, right, kp); +- left ^= ocipherl; +- right ^= ocipherr; +- +- /* Store the encrypted halves back into block. */ +- store_32_be(left, block); +- store_32_be(right, block + 4); +- +- /* Save current cipher block halves. */ +- ocipherl = cipherl; +- ocipherr = cipherr; +- +- k5_iov_cursor_put(&cursor, block); +- } +- +- if (ivec != NULL) { +- store_32_be(ocipherl, ivec); +- store_32_be(ocipherr, ivec + 4); +- } +-} +- +-void +-krb5int_des_cbc_mac(const krb5_crypto_iov *data, unsigned long num_data, +- const mit_des_key_schedule schedule, mit_des_cblock ivec, +- mit_des_cblock out) +-{ +- unsigned DES_INT32 left, right; +- const unsigned DES_INT32 *kp; +- const unsigned char *ip; +- struct iov_cursor cursor; +- unsigned char block[MIT_DES_BLOCK_LENGTH]; +- +- /* Get key pointer here. This won't need to be reinitialized. */ +- kp = (const unsigned DES_INT32 *)schedule; +- +- /* Initialize left and right with the contents of the initial vector. */ +- ip = (ivec != NULL) ? ivec : mit_des_zeroblock; +- left = load_32_be(ip); +- right = load_32_be(ip + 4); +- +- k5_iov_cursor_init(&cursor, data, num_data, MIT_DES_BLOCK_LENGTH, TRUE); +- while (k5_iov_cursor_get(&cursor, block)) { +- /* Decompose this block and xor it with the previous ciphertext. */ +- left ^= load_32_be(block); +- right ^= load_32_be(block + 4); +- +- /* Encrypt what we have. */ +- DES_DO_ENCRYPT(left, right, kp); +- } +- +- /* Output the final ciphertext block. */ +- store_32_be(left, out); +- store_32_be(right, out + 4); +-} +- +-#if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO) +-void krb5int_des_do_encrypt_2 (unsigned DES_INT32 *left, +- unsigned DES_INT32 *right, +- const unsigned DES_INT32 *kp) +-{ +- DES_DO_ENCRYPT_1 (*left, *right, kp); +-} +- +-void krb5int_des_do_decrypt_2 (unsigned DES_INT32 *left, +- unsigned DES_INT32 *right, +- const unsigned DES_INT32 *kp) +-{ +- DES_DO_DECRYPT_1 (*left, *right, kp); +-} +-#endif +- +-#endif /* K5_BUILTIN_DES */ +diff --git a/src/lib/crypto/builtin/des/f_cbc.c b/src/lib/crypto/builtin/des/f_cbc.c +deleted file mode 100644 +index 84d5382f22..0000000000 +--- a/src/lib/crypto/builtin/des/f_cbc.c ++++ /dev/null +@@ -1,256 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/builtin/des/f_cbc.c */ +-/* +- * Copyright (C) 1990 by the Massachusetts Institute of Technology. +- * All rights reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-/* +- * CBC functions; used only by the test programs at this time. (krb5 uses the +- * functions in f_aead.c instead.) +- */ +- +-/* +- * des_cbc_encrypt.c - an implementation of the DES cipher function in cbc mode +- */ +-#include "des_int.h" +-#include "f_tables.h" +- +-/* +- * des_cbc_encrypt - {en,de}crypt a stream in CBC mode +- */ +- +-/* +- * This routine performs DES cipher-block-chaining operation, either +- * encrypting from cleartext to ciphertext, if encrypt != 0 or +- * decrypting from ciphertext to cleartext, if encrypt == 0. +- * +- * The key schedule is passed as an arg, as well as the cleartext or +- * ciphertext. The cleartext and ciphertext should be in host order. +- * +- * NOTE-- the output is ALWAYS an multiple of 8 bytes long. If not +- * enough space was provided, your program will get trashed. +- * +- * For encryption, the cleartext string is null padded, at the end, to +- * an integral multiple of eight bytes. +- * +- * For decryption, the ciphertext will be used in integral multiples +- * of 8 bytes, but only the first "length" bytes returned into the +- * cleartext. +- */ +- +-const mit_des_cblock mit_des_zeroblock /* = all zero */; +- +-static void +-des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, +- unsigned long length, const mit_des_key_schedule schedule, +- const mit_des_cblock ivec) +-{ +- unsigned DES_INT32 left, right; +- const unsigned DES_INT32 *kp; +- const unsigned char *ip; +- unsigned char *op; +- +- /* +- * Get key pointer here. This won't need to be reinitialized +- */ +- kp = (const unsigned DES_INT32 *)schedule; +- +- /* +- * Initialize left and right with the contents of the initial +- * vector. +- */ +- ip = ivec; +- GET_HALF_BLOCK(left, ip); +- GET_HALF_BLOCK(right, ip); +- +- /* +- * Suitably initialized, now work the length down 8 bytes +- * at a time. +- */ +- ip = *in; +- op = *out; +- while (length > 0) { +- /* +- * Get more input, xor it in. If the length is +- * greater than or equal to 8 this is straight +- * forward. Otherwise we have to fart around. +- */ +- if (length >= 8) { +- unsigned DES_INT32 temp; +- GET_HALF_BLOCK(temp, ip); +- left ^= temp; +- GET_HALF_BLOCK(temp, ip); +- right ^= temp; +- length -= 8; +- } else { +- /* +- * Oh, shoot. We need to pad the +- * end with zeroes. Work backwards +- * to do this. +- */ +- ip += (int) length; +- switch(length) { +- case 7: +- right ^= (*(--ip) & FF_UINT32) << 8; +- case 6: +- right ^= (*(--ip) & FF_UINT32) << 16; +- case 5: +- right ^= (*(--ip) & FF_UINT32) << 24; +- case 4: +- left ^= *(--ip) & FF_UINT32; +- case 3: +- left ^= (*(--ip) & FF_UINT32) << 8; +- case 2: +- left ^= (*(--ip) & FF_UINT32) << 16; +- case 1: +- left ^= (*(--ip) & FF_UINT32) << 24; +- break; +- } +- length = 0; +- } +- +- /* +- * Encrypt what we have +- */ +- DES_DO_ENCRYPT(left, right, kp); +- +- /* +- * Copy the results out +- */ +- PUT_HALF_BLOCK(left, op); +- PUT_HALF_BLOCK(right, op); +- } +-} +- +-static void +-des_cbc_decrypt(const mit_des_cblock *in, mit_des_cblock *out, +- unsigned long length, const mit_des_key_schedule schedule, +- const mit_des_cblock ivec) +-{ +- unsigned DES_INT32 left, right; +- const unsigned DES_INT32 *kp; +- const unsigned char *ip; +- unsigned char *op; +- unsigned DES_INT32 ocipherl, ocipherr; +- unsigned DES_INT32 cipherl, cipherr; +- +- /* +- * Get key pointer here. This won't need to be reinitialized +- */ +- kp = (const unsigned DES_INT32 *)schedule; +- +- /* +- * Decrypting is harder than encrypting because of +- * the necessity of remembering a lot more things. +- * Should think about this a little more... +- */ +- +- if (length <= 0) +- return; +- +- /* +- * Prime the old cipher with ivec. +- */ +- ip = ivec; +- GET_HALF_BLOCK(ocipherl, ip); +- GET_HALF_BLOCK(ocipherr, ip); +- +- /* +- * Now do this in earnest until we run out of length. +- */ +- ip = *in; +- op = *out; +- for (;;) { /* check done inside loop */ +- /* +- * Read a block from the input into left and +- * right. Save this cipher block for later. +- */ +- GET_HALF_BLOCK(left, ip); +- GET_HALF_BLOCK(right, ip); +- cipherl = left; +- cipherr = right; +- +- /* +- * Decrypt this. +- */ +- DES_DO_DECRYPT(left, right, kp); +- +- /* +- * Xor with the old cipher to get plain +- * text. Output 8 or less bytes of this. +- */ +- left ^= ocipherl; +- right ^= ocipherr; +- if (length > 8) { +- length -= 8; +- PUT_HALF_BLOCK(left, op); +- PUT_HALF_BLOCK(right, op); +- /* +- * Save current cipher block here +- */ +- ocipherl = cipherl; +- ocipherr = cipherr; +- } else { +- /* +- * Trouble here. Start at end of output, +- * work backwards. +- */ +- op += (int) length; +- switch(length) { +- case 8: +- *(--op) = (unsigned char) (right & 0xff); +- case 7: +- *(--op) = (unsigned char) ((right >> 8) & 0xff); +- case 6: +- *(--op) = (unsigned char) ((right >> 16) & 0xff); +- case 5: +- *(--op) = (unsigned char) ((right >> 24) & 0xff); +- case 4: +- *(--op) = (unsigned char) (left & 0xff); +- case 3: +- *(--op) = (unsigned char) ((left >> 8) & 0xff); +- case 2: +- *(--op) = (unsigned char) ((left >> 16) & 0xff); +- case 1: +- *(--op) = (unsigned char) ((left >> 24) & 0xff); +- break; +- } +- break; /* we're done */ +- } +- } +-} +- +-int +-mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, +- unsigned long length, const mit_des_key_schedule schedule, +- const mit_des_cblock ivec, int enc) +-{ +- /* +- * Deal with encryption and decryption separately. +- */ +- if (enc) +- des_cbc_encrypt(in, out, length, schedule, ivec); +- else +- des_cbc_decrypt(in, out, length, schedule, ivec); +- return 0; +-} +diff --git a/src/lib/crypto/builtin/des/f_cksum.c b/src/lib/crypto/builtin/des/f_cksum.c +deleted file mode 100644 +index 615a947f4a..0000000000 +--- a/src/lib/crypto/builtin/des/f_cksum.c ++++ /dev/null +@@ -1,141 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/builtin/des/f_cksum.c */ +-/* +- * Copyright (C) 1990 by the Massachusetts Institute of Technology. +- * All rights reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-/* DES implementation donated by Dennis Ferguson */ +- +-/* +- * des_cbc_cksum.c - compute an 8 byte checksum using DES in CBC mode +- */ +-#include "crypto_int.h" +-#include "des_int.h" +-#include "f_tables.h" +- +-#ifdef K5_BUILTIN_DES +- +-/* +- * This routine performs DES cipher-block-chaining checksum operation, +- * a.k.a. Message Authentication Code. It ALWAYS encrypts from input +- * to a single 64 bit output MAC checksum. +- * +- * The key schedule is passed as an arg, as well as the cleartext or +- * ciphertext. The cleartext and ciphertext should be in host order. +- * +- * NOTE-- the output is ALWAYS 8 bytes long. If not enough space was +- * provided, your program will get trashed. +- * +- * The input is null padded, at the end (highest addr), to an integral +- * multiple of eight bytes. +- */ +- +-unsigned long +-mit_des_cbc_cksum(const krb5_octet *in, krb5_octet *out, +- unsigned long length, const mit_des_key_schedule schedule, +- const krb5_octet *ivec) +-{ +- unsigned DES_INT32 left, right; +- const unsigned DES_INT32 *kp; +- const unsigned char *ip; +- unsigned char *op; +- DES_INT32 len; +- +- /* +- * Initialize left and right with the contents of the initial +- * vector. +- */ +- ip = ivec; +- GET_HALF_BLOCK(left, ip); +- GET_HALF_BLOCK(right, ip); +- +- /* +- * Suitably initialized, now work the length down 8 bytes +- * at a time. +- */ +- ip = in; +- len = length; +- while (len > 0) { +- /* +- * Get more input, xor it in. If the length is +- * greater than or equal to 8 this is straight +- * forward. Otherwise we have to fart around. +- */ +- if (len >= 8) { +- unsigned DES_INT32 temp; +- GET_HALF_BLOCK(temp, ip); +- left ^= temp; +- GET_HALF_BLOCK(temp, ip); +- right ^= temp; +- len -= 8; +- } else { +- /* +- * Oh, shoot. We need to pad the +- * end with zeroes. Work backwards +- * to do this. +- */ +- ip += (int) len; +- switch(len) { +- case 7: +- right ^= (*(--ip) & FF_UINT32) << 8; +- case 6: +- right ^= (*(--ip) & FF_UINT32) << 16; +- case 5: +- right ^= (*(--ip) & FF_UINT32) << 24; +- case 4: +- left ^= *(--ip) & FF_UINT32; +- case 3: +- left ^= (*(--ip) & FF_UINT32) << 8; +- case 2: +- left ^= (*(--ip) & FF_UINT32) << 16; +- case 1: +- left ^= (*(--ip) & FF_UINT32) << 24; +- break; +- } +- len = 0; +- } +- +- /* +- * Encrypt what we have +- */ +- kp = (const unsigned DES_INT32 *)schedule; +- DES_DO_ENCRYPT(left, right, kp); +- } +- +- /* +- * Done. Left and right have the checksum. Put it into +- * the output. +- */ +- op = out; +- PUT_HALF_BLOCK(left, op); +- PUT_HALF_BLOCK(right, op); +- +- /* +- * Return right. I'll bet the MIT code returns this +- * inconsistantly (with the low order byte of the checksum +- * not always in the low order byte of the DES_INT32). We won't. +- */ +- return right & 0xFFFFFFFFUL; +-} +- +-#endif /* K5_BUILTIN_DES */ +diff --git a/src/lib/crypto/builtin/des/f_parity.c b/src/lib/crypto/builtin/des/f_parity.c +deleted file mode 100644 +index a658878f6f..0000000000 +--- a/src/lib/crypto/builtin/des/f_parity.c ++++ /dev/null +@@ -1,64 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* +- * These routines check and fix parity of encryption keys for the DES +- * algorithm. +- * +- * They are a replacement for routines in key_parity.c, that don't require +- * the table building that they do. +- * +- * Mark Eichin -- Cygnus Support +- */ +- +-#include "crypto_int.h" +-#include "des_int.h" +- +-#ifdef K5_BUILTIN_DES_KEY_PARITY +- +-/* +- * des_fixup_key_parity: Forces odd parity per byte; parity is bits +- * 8,16,...64 in des order, implies 0, 8, 16, ... +- * vax order. +- */ +-#define smask(step) ((1<>step)&smask(step))) +-#define parity_char(x) pstep(pstep(pstep((x),4),2),1) +- +-void +-mit_des_fixup_key_parity(mit_des_cblock key) +-{ +- unsigned int i; +- for (i=0; i> 29) & 0x7] +- | (PC1_CL[(tmp >> 21) & 0x7] << 1) +- | (PC1_CL[(tmp >> 13) & 0x7] << 2) +- | (PC1_CL[(tmp >> 5) & 0x7] << 3); +- d = PC1_DL[(tmp >> 25) & 0xf] +- | (PC1_DL[(tmp >> 17) & 0xf] << 1) +- | (PC1_DL[(tmp >> 9) & 0xf] << 2) +- | (PC1_DL[(tmp >> 1) & 0xf] << 3); +- +- tmp = load_32_be(k), k += 4; +- +- c |= PC1_CR[(tmp >> 28) & 0xf] +- | (PC1_CR[(tmp >> 20) & 0xf] << 1) +- | (PC1_CR[(tmp >> 12) & 0xf] << 2) +- | (PC1_CR[(tmp >> 4) & 0xf] << 3); +- d |= PC1_DR[(tmp >> 25) & 0x7] +- | (PC1_DR[(tmp >> 17) & 0x7] << 1) +- | (PC1_DR[(tmp >> 9) & 0x7] << 2) +- | (PC1_DR[(tmp >> 1) & 0x7] << 3); +- } +- +- { +- /* +- * Need several temporaries in here +- */ +- unsigned DES_INT32 ltmp, rtmp; +- unsigned DES_INT32 *k; +- int two_bit_shifts; +- int i; +- /* +- * Now iterate to compute the key schedule. Note that we +- * record the entire set of subkeys in 6 bit chunks since +- * they are used that way. At 6 bits/char, we need +- * 48/6 char's/subkey * 16 subkeys/encryption == 128 bytes. +- * The schedule must be this big. +- */ +- k = (unsigned DES_INT32 *)schedule; +- two_bit_shifts = TWO_BIT_SHIFTS; +- for (i = 16; i > 0; i--) { +- /* +- * Do the rotation. One bit and two bit rotations +- * are done separately. Note C and D are 28 bits. +- */ +- if (two_bit_shifts & 0x1) { +- c = ((c << 2) & 0xffffffc) | (c >> 26); +- d = ((d << 2) & 0xffffffc) | (d >> 26); +- } else { +- c = ((c << 1) & 0xffffffe) | (c >> 27); +- d = ((d << 1) & 0xffffffe) | (d >> 27); +- } +- two_bit_shifts >>= 1; +- +- /* +- * Apply permutted choice 2 to C to get the first +- * 24 bits worth of keys. Note that bits 9, 18, 22 +- * and 25 (using DES numbering) in C are unused. The +- * shift-mask stuff is done to delete these bits from +- * the indices, since this cuts the table size in half. +- * +- * The table is torqued, by the way. If the standard +- * byte order for this (high to low order) is 1234, +- * the table actually gives us 4132. +- */ +- ltmp = PC2_C[0][((c >> 22) & 0x3f)] +- | PC2_C[1][((c >> 15) & 0xf) | ((c >> 16) & 0x30)] +- | PC2_C[2][((c >> 4) & 0x3) | ((c >> 9) & 0x3c)] +- | PC2_C[3][((c ) & 0x7) | ((c >> 4) & 0x38)]; +- /* +- * Apply permutted choice 2 to D to get the other half. +- * Here, bits 7, 10, 15 and 26 go unused. The sqeezing +- * actually turns out to be cheaper here. +- * +- * This table is similarly torqued. If the standard +- * byte order is 5678, the table has the bytes permuted +- * to give us 7685. +- */ +- rtmp = PC2_D[0][((d >> 22) & 0x3f)] +- | PC2_D[1][((d >> 14) & 0xf) | ((d >> 15) & 0x30)] +- | PC2_D[2][((d >> 7) & 0x3f)] +- | PC2_D[3][((d ) & 0x3) | ((d >> 1) & 0x3c)]; +- +- /* +- * Make up two words of the key schedule, with a +- * byte order which is convenient for the DES +- * inner loop. The high order (first) word will +- * hold bytes 7135 (high to low order) while the +- * second holds bytes 4682. +- */ +- *k++ = (ltmp & 0x00ffff00) | (rtmp & 0xff0000ff); +- *k++ = (ltmp & 0xff0000ff) | (rtmp & 0x00ffff00); +- } +- } +- return (0); +-} +- +-#endif /* K5_BUILTIN_DES */ +diff --git a/src/lib/crypto/builtin/des/f_tables.c b/src/lib/crypto/builtin/des/f_tables.c +deleted file mode 100644 +index e50ab1fc60..0000000000 +--- a/src/lib/crypto/builtin/des/f_tables.c ++++ /dev/null +@@ -1,375 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/builtin/des/f_tables.c */ +-/* +- * Copyright (C) 1990 by the Massachusetts Institute of Technology. +- * All rights reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-/* DES implementation donated by Dennis Ferguson */ +- +-/* +- * des_tables.c - precomputed tables used for the DES cipher function +- */ +- +-/* +- * Include the header file so something will complain if the +- * declarations get out of sync +- */ +-#include "crypto_int.h" +-#include "des_int.h" +-#include "f_tables.h" +- +-#ifdef K5_BUILTIN_DES +- +-/* +- * These tables may be declared const if you want. Many compilers +- * don't support this, though. +- */ +- +-/* +- * The DES algorithm which uses these is intended to be fairly speedy +- * at the expense of some memory. All the standard hacks are used. +- * The S boxes and the P permutation are precomputed into one table. +- * The E box never actually appears explicitly since it is easy to apply +- * this algorithmically as needed. The initial permutation and final +- * (inverse initial) permutation are computed from tables designed to +- * permute one byte at a time. This should run pretty fast on machines +- * with 32 bit words and bit field/multiple bit shift instructions which +- * are fast. +- */ +- +-/* +- * The initial permutation array. This is used to compute both the +- * left and the right halves of the initial permutation using bytes +- * from words made from the following operations: +- * +- * ((left & 0x55555555) << 1) | (right & 0x55555555) for left half +- * (left & 0xaaaaaaaa) | ((right & 0xaaaaaaaa) >> 1) for right half +- * +- * The scheme is that we index into the table using each byte. The +- * result from the high order byte is or'd with the result from the +- * next byte shifted left once is or'd with the result from the next +- * byte shifted left twice if or'd with the result from the low order +- * byte shifted left by three. Clear? +- */ +- +-const unsigned DES_INT32 des_IP_table[256] = { +- 0x00000000, 0x00000010, 0x00000001, 0x00000011, +- 0x00001000, 0x00001010, 0x00001001, 0x00001011, +- 0x00000100, 0x00000110, 0x00000101, 0x00000111, +- 0x00001100, 0x00001110, 0x00001101, 0x00001111, +- 0x00100000, 0x00100010, 0x00100001, 0x00100011, +- 0x00101000, 0x00101010, 0x00101001, 0x00101011, +- 0x00100100, 0x00100110, 0x00100101, 0x00100111, +- 0x00101100, 0x00101110, 0x00101101, 0x00101111, +- 0x00010000, 0x00010010, 0x00010001, 0x00010011, +- 0x00011000, 0x00011010, 0x00011001, 0x00011011, +- 0x00010100, 0x00010110, 0x00010101, 0x00010111, +- 0x00011100, 0x00011110, 0x00011101, 0x00011111, +- 0x00110000, 0x00110010, 0x00110001, 0x00110011, +- 0x00111000, 0x00111010, 0x00111001, 0x00111011, +- 0x00110100, 0x00110110, 0x00110101, 0x00110111, +- 0x00111100, 0x00111110, 0x00111101, 0x00111111, +- 0x10000000, 0x10000010, 0x10000001, 0x10000011, +- 0x10001000, 0x10001010, 0x10001001, 0x10001011, +- 0x10000100, 0x10000110, 0x10000101, 0x10000111, +- 0x10001100, 0x10001110, 0x10001101, 0x10001111, +- 0x10100000, 0x10100010, 0x10100001, 0x10100011, +- 0x10101000, 0x10101010, 0x10101001, 0x10101011, +- 0x10100100, 0x10100110, 0x10100101, 0x10100111, +- 0x10101100, 0x10101110, 0x10101101, 0x10101111, +- 0x10010000, 0x10010010, 0x10010001, 0x10010011, +- 0x10011000, 0x10011010, 0x10011001, 0x10011011, +- 0x10010100, 0x10010110, 0x10010101, 0x10010111, +- 0x10011100, 0x10011110, 0x10011101, 0x10011111, +- 0x10110000, 0x10110010, 0x10110001, 0x10110011, +- 0x10111000, 0x10111010, 0x10111001, 0x10111011, +- 0x10110100, 0x10110110, 0x10110101, 0x10110111, +- 0x10111100, 0x10111110, 0x10111101, 0x10111111, +- 0x01000000, 0x01000010, 0x01000001, 0x01000011, +- 0x01001000, 0x01001010, 0x01001001, 0x01001011, +- 0x01000100, 0x01000110, 0x01000101, 0x01000111, +- 0x01001100, 0x01001110, 0x01001101, 0x01001111, +- 0x01100000, 0x01100010, 0x01100001, 0x01100011, +- 0x01101000, 0x01101010, 0x01101001, 0x01101011, +- 0x01100100, 0x01100110, 0x01100101, 0x01100111, +- 0x01101100, 0x01101110, 0x01101101, 0x01101111, +- 0x01010000, 0x01010010, 0x01010001, 0x01010011, +- 0x01011000, 0x01011010, 0x01011001, 0x01011011, +- 0x01010100, 0x01010110, 0x01010101, 0x01010111, +- 0x01011100, 0x01011110, 0x01011101, 0x01011111, +- 0x01110000, 0x01110010, 0x01110001, 0x01110011, +- 0x01111000, 0x01111010, 0x01111001, 0x01111011, +- 0x01110100, 0x01110110, 0x01110101, 0x01110111, +- 0x01111100, 0x01111110, 0x01111101, 0x01111111, +- 0x11000000, 0x11000010, 0x11000001, 0x11000011, +- 0x11001000, 0x11001010, 0x11001001, 0x11001011, +- 0x11000100, 0x11000110, 0x11000101, 0x11000111, +- 0x11001100, 0x11001110, 0x11001101, 0x11001111, +- 0x11100000, 0x11100010, 0x11100001, 0x11100011, +- 0x11101000, 0x11101010, 0x11101001, 0x11101011, +- 0x11100100, 0x11100110, 0x11100101, 0x11100111, +- 0x11101100, 0x11101110, 0x11101101, 0x11101111, +- 0x11010000, 0x11010010, 0x11010001, 0x11010011, +- 0x11011000, 0x11011010, 0x11011001, 0x11011011, +- 0x11010100, 0x11010110, 0x11010101, 0x11010111, +- 0x11011100, 0x11011110, 0x11011101, 0x11011111, +- 0x11110000, 0x11110010, 0x11110001, 0x11110011, +- 0x11111000, 0x11111010, 0x11111001, 0x11111011, +- 0x11110100, 0x11110110, 0x11110101, 0x11110111, +- 0x11111100, 0x11111110, 0x11111101, 0x11111111 +-}; +- +-/* +- * The final permutation array. Like the IP array, used +- * to compute both the left and right results from the bytes +- * of words computed from: +- * +- * ((left & 0x0f0f0f0f) << 4) | (right & 0x0f0f0f0f) for left result +- * (left & 0xf0f0f0f0) | ((right & 0xf0f0f0f0) >> 4) for right result +- * +- * The result from the high order byte is shifted left 6 bits and +- * or'd with the result from the next byte shifted left 4 bits, which +- * is or'd with the result from the next byte shifted left 2 bits, +- * which is or'd with the result from the low byte. +- */ +-const unsigned DES_INT32 des_FP_table[256] = { +- 0x00000000, 0x02000000, 0x00020000, 0x02020000, +- 0x00000200, 0x02000200, 0x00020200, 0x02020200, +- 0x00000002, 0x02000002, 0x00020002, 0x02020002, +- 0x00000202, 0x02000202, 0x00020202, 0x02020202, +- 0x01000000, 0x03000000, 0x01020000, 0x03020000, +- 0x01000200, 0x03000200, 0x01020200, 0x03020200, +- 0x01000002, 0x03000002, 0x01020002, 0x03020002, +- 0x01000202, 0x03000202, 0x01020202, 0x03020202, +- 0x00010000, 0x02010000, 0x00030000, 0x02030000, +- 0x00010200, 0x02010200, 0x00030200, 0x02030200, +- 0x00010002, 0x02010002, 0x00030002, 0x02030002, +- 0x00010202, 0x02010202, 0x00030202, 0x02030202, +- 0x01010000, 0x03010000, 0x01030000, 0x03030000, +- 0x01010200, 0x03010200, 0x01030200, 0x03030200, +- 0x01010002, 0x03010002, 0x01030002, 0x03030002, +- 0x01010202, 0x03010202, 0x01030202, 0x03030202, +- 0x00000100, 0x02000100, 0x00020100, 0x02020100, +- 0x00000300, 0x02000300, 0x00020300, 0x02020300, +- 0x00000102, 0x02000102, 0x00020102, 0x02020102, +- 0x00000302, 0x02000302, 0x00020302, 0x02020302, +- 0x01000100, 0x03000100, 0x01020100, 0x03020100, +- 0x01000300, 0x03000300, 0x01020300, 0x03020300, +- 0x01000102, 0x03000102, 0x01020102, 0x03020102, +- 0x01000302, 0x03000302, 0x01020302, 0x03020302, +- 0x00010100, 0x02010100, 0x00030100, 0x02030100, +- 0x00010300, 0x02010300, 0x00030300, 0x02030300, +- 0x00010102, 0x02010102, 0x00030102, 0x02030102, +- 0x00010302, 0x02010302, 0x00030302, 0x02030302, +- 0x01010100, 0x03010100, 0x01030100, 0x03030100, +- 0x01010300, 0x03010300, 0x01030300, 0x03030300, +- 0x01010102, 0x03010102, 0x01030102, 0x03030102, +- 0x01010302, 0x03010302, 0x01030302, 0x03030302, +- 0x00000001, 0x02000001, 0x00020001, 0x02020001, +- 0x00000201, 0x02000201, 0x00020201, 0x02020201, +- 0x00000003, 0x02000003, 0x00020003, 0x02020003, +- 0x00000203, 0x02000203, 0x00020203, 0x02020203, +- 0x01000001, 0x03000001, 0x01020001, 0x03020001, +- 0x01000201, 0x03000201, 0x01020201, 0x03020201, +- 0x01000003, 0x03000003, 0x01020003, 0x03020003, +- 0x01000203, 0x03000203, 0x01020203, 0x03020203, +- 0x00010001, 0x02010001, 0x00030001, 0x02030001, +- 0x00010201, 0x02010201, 0x00030201, 0x02030201, +- 0x00010003, 0x02010003, 0x00030003, 0x02030003, +- 0x00010203, 0x02010203, 0x00030203, 0x02030203, +- 0x01010001, 0x03010001, 0x01030001, 0x03030001, +- 0x01010201, 0x03010201, 0x01030201, 0x03030201, +- 0x01010003, 0x03010003, 0x01030003, 0x03030003, +- 0x01010203, 0x03010203, 0x01030203, 0x03030203, +- 0x00000101, 0x02000101, 0x00020101, 0x02020101, +- 0x00000301, 0x02000301, 0x00020301, 0x02020301, +- 0x00000103, 0x02000103, 0x00020103, 0x02020103, +- 0x00000303, 0x02000303, 0x00020303, 0x02020303, +- 0x01000101, 0x03000101, 0x01020101, 0x03020101, +- 0x01000301, 0x03000301, 0x01020301, 0x03020301, +- 0x01000103, 0x03000103, 0x01020103, 0x03020103, +- 0x01000303, 0x03000303, 0x01020303, 0x03020303, +- 0x00010101, 0x02010101, 0x00030101, 0x02030101, +- 0x00010301, 0x02010301, 0x00030301, 0x02030301, +- 0x00010103, 0x02010103, 0x00030103, 0x02030103, +- 0x00010303, 0x02010303, 0x00030303, 0x02030303, +- 0x01010101, 0x03010101, 0x01030101, 0x03030101, +- 0x01010301, 0x03010301, 0x01030301, 0x03030301, +- 0x01010103, 0x03010103, 0x01030103, 0x03030103, +- 0x01010303, 0x03010303, 0x01030303, 0x03030303 +-}; +- +- +-/* +- * The SP table is actually the S boxes and the P permutation +- * table combined. This table is actually reordered from the +- * spec, to match the order of key application we follow. +- */ +-const unsigned DES_INT32 des_SP_table[8][64] = { +- { +- 0x00100000, 0x02100001, 0x02000401, 0x00000000, /* 7 */ +- 0x00000400, 0x02000401, 0x00100401, 0x02100400, +- 0x02100401, 0x00100000, 0x00000000, 0x02000001, +- 0x00000001, 0x02000000, 0x02100001, 0x00000401, +- 0x02000400, 0x00100401, 0x00100001, 0x02000400, +- 0x02000001, 0x02100000, 0x02100400, 0x00100001, +- 0x02100000, 0x00000400, 0x00000401, 0x02100401, +- 0x00100400, 0x00000001, 0x02000000, 0x00100400, +- 0x02000000, 0x00100400, 0x00100000, 0x02000401, +- 0x02000401, 0x02100001, 0x02100001, 0x00000001, +- 0x00100001, 0x02000000, 0x02000400, 0x00100000, +- 0x02100400, 0x00000401, 0x00100401, 0x02100400, +- 0x00000401, 0x02000001, 0x02100401, 0x02100000, +- 0x00100400, 0x00000000, 0x00000001, 0x02100401, +- 0x00000000, 0x00100401, 0x02100000, 0x00000400, +- 0x02000001, 0x02000400, 0x00000400, 0x00100001, +- }, +- { +- 0x00808200, 0x00000000, 0x00008000, 0x00808202, /* 1 */ +- 0x00808002, 0x00008202, 0x00000002, 0x00008000, +- 0x00000200, 0x00808200, 0x00808202, 0x00000200, +- 0x00800202, 0x00808002, 0x00800000, 0x00000002, +- 0x00000202, 0x00800200, 0x00800200, 0x00008200, +- 0x00008200, 0x00808000, 0x00808000, 0x00800202, +- 0x00008002, 0x00800002, 0x00800002, 0x00008002, +- 0x00000000, 0x00000202, 0x00008202, 0x00800000, +- 0x00008000, 0x00808202, 0x00000002, 0x00808000, +- 0x00808200, 0x00800000, 0x00800000, 0x00000200, +- 0x00808002, 0x00008000, 0x00008200, 0x00800002, +- 0x00000200, 0x00000002, 0x00800202, 0x00008202, +- 0x00808202, 0x00008002, 0x00808000, 0x00800202, +- 0x00800002, 0x00000202, 0x00008202, 0x00808200, +- 0x00000202, 0x00800200, 0x00800200, 0x00000000, +- 0x00008002, 0x00008200, 0x00000000, 0x00808002, +- }, +- { +- 0x00000104, 0x04010100, 0x00000000, 0x04010004, /* 3 */ +- 0x04000100, 0x00000000, 0x00010104, 0x04000100, +- 0x00010004, 0x04000004, 0x04000004, 0x00010000, +- 0x04010104, 0x00010004, 0x04010000, 0x00000104, +- 0x04000000, 0x00000004, 0x04010100, 0x00000100, +- 0x00010100, 0x04010000, 0x04010004, 0x00010104, +- 0x04000104, 0x00010100, 0x00010000, 0x04000104, +- 0x00000004, 0x04010104, 0x00000100, 0x04000000, +- 0x04010100, 0x04000000, 0x00010004, 0x00000104, +- 0x00010000, 0x04010100, 0x04000100, 0x00000000, +- 0x00000100, 0x00010004, 0x04010104, 0x04000100, +- 0x04000004, 0x00000100, 0x00000000, 0x04010004, +- 0x04000104, 0x00010000, 0x04000000, 0x04010104, +- 0x00000004, 0x00010104, 0x00010100, 0x04000004, +- 0x04010000, 0x04000104, 0x00000104, 0x04010000, +- 0x00010104, 0x00000004, 0x04010004, 0x00010100, +- }, +- { +- 0x00000080, 0x01040080, 0x01040000, 0x21000080, /* 5 */ +- 0x00040000, 0x00000080, 0x20000000, 0x01040000, +- 0x20040080, 0x00040000, 0x01000080, 0x20040080, +- 0x21000080, 0x21040000, 0x00040080, 0x20000000, +- 0x01000000, 0x20040000, 0x20040000, 0x00000000, +- 0x20000080, 0x21040080, 0x21040080, 0x01000080, +- 0x21040000, 0x20000080, 0x00000000, 0x21000000, +- 0x01040080, 0x01000000, 0x21000000, 0x00040080, +- 0x00040000, 0x21000080, 0x00000080, 0x01000000, +- 0x20000000, 0x01040000, 0x21000080, 0x20040080, +- 0x01000080, 0x20000000, 0x21040000, 0x01040080, +- 0x20040080, 0x00000080, 0x01000000, 0x21040000, +- 0x21040080, 0x00040080, 0x21000000, 0x21040080, +- 0x01040000, 0x00000000, 0x20040000, 0x21000000, +- 0x00040080, 0x01000080, 0x20000080, 0x00040000, +- 0x00000000, 0x20040000, 0x01040080, 0x20000080, +- }, +- { +- 0x80401000, 0x80001040, 0x80001040, 0x00000040, /* 4 */ +- 0x00401040, 0x80400040, 0x80400000, 0x80001000, +- 0x00000000, 0x00401000, 0x00401000, 0x80401040, +- 0x80000040, 0x00000000, 0x00400040, 0x80400000, +- 0x80000000, 0x00001000, 0x00400000, 0x80401000, +- 0x00000040, 0x00400000, 0x80001000, 0x00001040, +- 0x80400040, 0x80000000, 0x00001040, 0x00400040, +- 0x00001000, 0x00401040, 0x80401040, 0x80000040, +- 0x00400040, 0x80400000, 0x00401000, 0x80401040, +- 0x80000040, 0x00000000, 0x00000000, 0x00401000, +- 0x00001040, 0x00400040, 0x80400040, 0x80000000, +- 0x80401000, 0x80001040, 0x80001040, 0x00000040, +- 0x80401040, 0x80000040, 0x80000000, 0x00001000, +- 0x80400000, 0x80001000, 0x00401040, 0x80400040, +- 0x80001000, 0x00001040, 0x00400000, 0x80401000, +- 0x00000040, 0x00400000, 0x00001000, 0x00401040, +- }, +- { +- 0x10000008, 0x10200000, 0x00002000, 0x10202008, /* 6 */ +- 0x10200000, 0x00000008, 0x10202008, 0x00200000, +- 0x10002000, 0x00202008, 0x00200000, 0x10000008, +- 0x00200008, 0x10002000, 0x10000000, 0x00002008, +- 0x00000000, 0x00200008, 0x10002008, 0x00002000, +- 0x00202000, 0x10002008, 0x00000008, 0x10200008, +- 0x10200008, 0x00000000, 0x00202008, 0x10202000, +- 0x00002008, 0x00202000, 0x10202000, 0x10000000, +- 0x10002000, 0x00000008, 0x10200008, 0x00202000, +- 0x10202008, 0x00200000, 0x00002008, 0x10000008, +- 0x00200000, 0x10002000, 0x10000000, 0x00002008, +- 0x10000008, 0x10202008, 0x00202000, 0x10200000, +- 0x00202008, 0x10202000, 0x00000000, 0x10200008, +- 0x00000008, 0x00002000, 0x10200000, 0x00202008, +- 0x00002000, 0x00200008, 0x10002008, 0x00000000, +- 0x10202000, 0x10000000, 0x00200008, 0x10002008, +- }, +- { +- 0x08000820, 0x00000800, 0x00020000, 0x08020820, /* 8 */ +- 0x08000000, 0x08000820, 0x00000020, 0x08000000, +- 0x00020020, 0x08020000, 0x08020820, 0x00020800, +- 0x08020800, 0x00020820, 0x00000800, 0x00000020, +- 0x08020000, 0x08000020, 0x08000800, 0x00000820, +- 0x00020800, 0x00020020, 0x08020020, 0x08020800, +- 0x00000820, 0x00000000, 0x00000000, 0x08020020, +- 0x08000020, 0x08000800, 0x00020820, 0x00020000, +- 0x00020820, 0x00020000, 0x08020800, 0x00000800, +- 0x00000020, 0x08020020, 0x00000800, 0x00020820, +- 0x08000800, 0x00000020, 0x08000020, 0x08020000, +- 0x08020020, 0x08000000, 0x00020000, 0x08000820, +- 0x00000000, 0x08020820, 0x00020020, 0x08000020, +- 0x08020000, 0x08000800, 0x08000820, 0x00000000, +- 0x08020820, 0x00020800, 0x00020800, 0x00000820, +- 0x00000820, 0x00020020, 0x08000000, 0x08020800, +- }, +- { +- 0x40084010, 0x40004000, 0x00004000, 0x00084010, /* 2 */ +- 0x00080000, 0x00000010, 0x40080010, 0x40004010, +- 0x40000010, 0x40084010, 0x40084000, 0x40000000, +- 0x40004000, 0x00080000, 0x00000010, 0x40080010, +- 0x00084000, 0x00080010, 0x40004010, 0x00000000, +- 0x40000000, 0x00004000, 0x00084010, 0x40080000, +- 0x00080010, 0x40000010, 0x00000000, 0x00084000, +- 0x00004010, 0x40084000, 0x40080000, 0x00004010, +- 0x00000000, 0x00084010, 0x40080010, 0x00080000, +- 0x40004010, 0x40080000, 0x40084000, 0x00004000, +- 0x40080000, 0x40004000, 0x00000010, 0x40084010, +- 0x00084010, 0x00000010, 0x00004000, 0x40000000, +- 0x00004010, 0x40084000, 0x00080000, 0x40000010, +- 0x00080010, 0x40004010, 0x40000010, 0x00080010, +- 0x00084000, 0x00000000, 0x40004000, 0x00004010, +- 0x40000000, 0x40080010, 0x40084010, 0x00084000 +- }, +-}; +- +-#endif /* K5_BUILTIN_DES */ +diff --git a/src/lib/crypto/builtin/des/f_tables.h b/src/lib/crypto/builtin/des/f_tables.h +deleted file mode 100644 +index fc91b566cf..0000000000 +--- a/src/lib/crypto/builtin/des/f_tables.h ++++ /dev/null +@@ -1,285 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/builtin/des/f_tables.h */ +-/* +- * Copyright (C) 1990 by the Massachusetts Institute of Technology. +- * All rights reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-/* +- * DES implementation donated by Dennis Ferguson +- */ +- +-/* +- * des_tables.h - declarations to import the DES tables, used internally +- * by some of the library routines. +- */ +-#ifndef __DES_TABLES_H__ +-#define __DES_TABLES_H__ /* nothing */ +- +-#include "k5-platform.h" +-/* +- * These may be declared const if you wish. Be sure to change the +- * declarations in des_tables.c as well. +- */ +-extern const unsigned DES_INT32 des_IP_table[256]; +-extern const unsigned DES_INT32 des_FP_table[256]; +-extern const unsigned DES_INT32 des_SP_table[8][64]; +- +-/* +- * Use standard shortforms to reference these to save typing +- */ +-#define IP des_IP_table +-#define FP des_FP_table +-#define SP des_SP_table +- +-#ifdef DEBUG +-#define DEB(foofraw) printf foofraw +-#else +-#define DEB(foofraw) /* nothing */ +-#endif +- +-/* +- * Code to do a DES round using the tables. Note that the E expansion +- * is easy to compute algorithmically, especially if done out-of-order. +- * Take a look at its form and compare it to everything involving temp +- * below. Since SP[0-7] don't have any bits in common set it is okay +- * to do the successive xor's. +- * +- * Note too that the SP table has been reordered to match the order of +- * the keys (if the original order of SP was 12345678, the reordered +- * table is 71354682). This is unnecessary, but was done since some +- * compilers seem to like you going through the matrix from beginning +- * to end. +- * +- * There is a difference in the best way to do this depending on whether +- * one is encrypting or decrypting. If encrypting we move forward through +- * the keys and hence should move forward through the table. If decrypting +- * we go back. Part of the need for this comes from trying to emulate +- * existing software which generates a single key schedule and uses it +- * both for encrypting and decrypting. Generating separate encryption +- * and decryption key schedules would allow one to use the same code +- * for both. +- * +- * left, right and temp should be unsigned DES_INT32 values. left and right +- * should be the high and low order parts of the cipher block at the +- * current stage of processing (this makes sense if you read the spec). +- * kp should be an unsigned DES_INT32 pointer which points at the current +- * set of subkeys in the key schedule. It is advanced to the next set +- * (i.e. by 8 bytes) when this is done. +- * +- * This occurs in the innermost loop of the DES function. The four +- * variables should really be in registers. +- * +- * When using this, the inner loop of the DES function might look like: +- * +- * for (i = 0; i < 8; i++) { +- * DES_SP_{EN,DE}CRYPT_ROUND(left, right, temp, kp); +- * DES_SP_{EN,DE}CRYPT_ROUND(right, left, temp, kp); +- * } +- * +- * Note the trick above. You are supposed to do 16 rounds, swapping +- * left and right at the end of each round. By doing two rounds at +- * a time and swapping left and right in the code we can avoid the +- * swaps altogether. +- */ +-#define DES_SP_ENCRYPT_ROUND(left, right, temp, kp) do { \ +- (temp) = (((right) >> 11) | ((right) << 21)) ^ *(kp)++; \ +- (left) ^= SP[0][((temp) >> 24) & 0x3f] \ +- | SP[1][((temp) >> 16) & 0x3f] \ +- | SP[2][((temp) >> 8) & 0x3f] \ +- | SP[3][((temp) ) & 0x3f]; \ +- (temp) = (((right) >> 23) | ((right) << 9)) ^ *(kp)++; \ +- (left) ^= SP[4][((temp) >> 24) & 0x3f] \ +- | SP[5][((temp) >> 16) & 0x3f] \ +- | SP[6][((temp) >> 8) & 0x3f] \ +- | SP[7][((temp) ) & 0x3f]; \ +- } while(0); +- +-#define DES_SP_DECRYPT_ROUND(left, right, temp, kp) do { \ +- (temp) = (((right) >> 23) | ((right) << 9)) ^ *(--(kp)); \ +- (left) ^= SP[7][((temp) ) & 0x3f] \ +- | SP[6][((temp) >> 8) & 0x3f] \ +- | SP[5][((temp) >> 16) & 0x3f] \ +- | SP[4][((temp) >> 24) & 0x3f]; \ +- (temp) = (((right) >> 11) | ((right) << 21)) ^ *(--(kp)); \ +- (left) ^= SP[3][((temp) ) & 0x3f] \ +- | SP[2][((temp) >> 8) & 0x3f] \ +- | SP[1][((temp) >> 16) & 0x3f] \ +- | SP[0][((temp) >> 24) & 0x3f]; \ +- } while (0); +- +-/* +- * Macros to help deal with the initial permutation table. Note +- * the IP table only deals with 32 bits at a time, allowing us to +- * collect the bits we need to deal with each half into an unsigned +- * DES_INT32. By carefully selecting how the bits are ordered we also +- * take advantages of symmetries in the table so that we can use a +- * single table to compute the permutation of all bytes. This sounds +- * complicated, but if you go through the process of designing the +- * table you'll find the symmetries fall right out. +- * +- * The follow macros compute the set of bits used to index the +- * table for produce the left and right permuted result. +- * +- * The inserted cast to unsigned DES_INT32 circumvents a bug in +- * the Macintosh MPW 3.2 C compiler which loses the unsignedness and +- * propagates the high-order bit in the shift. +- */ +-#define DES_IP_LEFT_BITS(left, right) \ +- ((((left) & 0x55555555) << 1) | ((right) & 0x55555555)) +-#define DES_IP_RIGHT_BITS(left, right) \ +- (((left) & 0xaaaaaaaa) | \ +- ( ( (unsigned DES_INT32) ((right) & 0xaaaaaaaa) ) >> 1)) +- +-/* +- * The following macro does an in-place initial permutation given +- * the current left and right parts of the block and a single +- * temporary. Use this more as a guide for rolling your own, though. +- * The best way to do the IP depends on the form of the data you +- * are dealing with. If you use this, though, try to make left, +- * right and temp unsigned DES_INT32s. +- */ +-#define DES_INITIAL_PERM(left, right, temp) do { \ +- (temp) = DES_IP_RIGHT_BITS((left), (right)); \ +- (right) = DES_IP_LEFT_BITS((left), (right)); \ +- (left) = IP[((right) >> 24) & 0xff] \ +- | (IP[((right) >> 16) & 0xff] << 1) \ +- | (IP[((right) >> 8) & 0xff] << 2) \ +- | (IP[(right) & 0xff] << 3); \ +- (right) = IP[((temp) >> 24) & 0xff] \ +- | (IP[((temp) >> 16) & 0xff] << 1) \ +- | (IP[((temp) >> 8) & 0xff] << 2) \ +- | (IP[(temp) & 0xff] << 3); \ +- } while(0); +- +-/* +- * Now the final permutation stuff. The same comments apply to +- * this as to the initial permutation, except that we use different +- * bits and shifts. +- * +- * The inserted cast to unsigned DES_INT32 circumvents a bug in +- * the Macintosh MPW 3.2 C compiler which loses the unsignedness and +- * propagates the high-order bit in the shift. +- */ +-#define DES_FP_LEFT_BITS(left, right) \ +- ((((left) & 0x0f0f0f0f) << 4) | ((right) & 0x0f0f0f0f)) +-#define DES_FP_RIGHT_BITS(left, right) \ +- (((left) & 0xf0f0f0f0) | \ +- ( ( (unsigned DES_INT32) ((right) & 0xf0f0f0f0) ) >> 4)) +- +- +-/* +- * Here is a sample final permutation. Note that there is a trick +- * here. DES requires swapping the left and right parts after the +- * last cipher round but before the final permutation. We do this +- * swapping internally, which is why left and right are confused +- * at the beginning. +- */ +-#define DES_FINAL_PERM(left, right, temp) do { \ +- (temp) = DES_FP_RIGHT_BITS((right), (left)); \ +- (right) = DES_FP_LEFT_BITS((right), (left)); \ +- (left) = (FP[((right) >> 24) & 0xff] << 6) \ +- | (FP[((right) >> 16) & 0xff] << 4) \ +- | (FP[((right) >> 8) & 0xff] << 2) \ +- | FP[(right) & 0xff]; \ +- (right) = (FP[((temp) >> 24) & 0xff] << 6) \ +- | (FP[((temp) >> 16) & 0xff] << 4) \ +- | (FP[((temp) >> 8) & 0xff] << 2) \ +- | FP[temp & 0xff]; \ +- } while(0); +- +- +-/* +- * Finally, as a sample of how all this might be held together, the +- * following two macros do in-place encryptions and decryptions. left +- * and right are two unsigned DES_INT32 variables which at the beginning +- * are expected to hold the clear (encrypted) block in host byte order +- * (left the high order four bytes, right the low order). At the end +- * they will contain the encrypted (clear) block. temp is an unsigned DES_INT32 +- * used as a temporary. kp is an unsigned DES_INT32 pointer pointing at +- * the start of the key schedule. All these should be in registers. +- * +- * You can probably do better than these by rewriting for particular +- * situations. These aren't bad, though. +- * +- * The DEB macros enable debugging when this code breaks (typically +- * when a buggy compiler breaks it), by printing the intermediate values +- * at each stage of the encryption, so that by comparing the output to +- * a known good machine, the location of the first error can be found. +- */ +-#define DES_DO_ENCRYPT_1(left, right, kp) \ +- do { \ +- int i; \ +- unsigned DES_INT32 temp1; \ +- DEB (("do_encrypt %8lX %8lX \n", left, right)); \ +- DES_INITIAL_PERM((left), (right), (temp1)); \ +- DEB ((" after IP %8lX %8lX\n", left, right)); \ +- for (i = 0; i < 8; i++) { \ +- DES_SP_ENCRYPT_ROUND((left), (right), (temp1), (kp)); \ +- DEB ((" round %2d %8lX %8lX \n", i*2, left, right)); \ +- DES_SP_ENCRYPT_ROUND((right), (left), (temp1), (kp)); \ +- DEB ((" round %2d %8lX %8lX \n", 1+i*2, left, right)); \ +- } \ +- DES_FINAL_PERM((left), (right), (temp1)); \ +- (kp) -= (2 * 16); \ +- DEB ((" after FP %8lX %8lX \n", left, right)); \ +- } while (0) +- +-#define DES_DO_DECRYPT_1(left, right, kp) \ +- do { \ +- int i; \ +- unsigned DES_INT32 temp2; \ +- DES_INITIAL_PERM((left), (right), (temp2)); \ +- (kp) += (2 * 16); \ +- for (i = 0; i < 8; i++) { \ +- DES_SP_DECRYPT_ROUND((left), (right), (temp2), (kp)); \ +- DES_SP_DECRYPT_ROUND((right), (left), (temp2), (kp)); \ +- } \ +- DES_FINAL_PERM((left), (right), (temp2)); \ +- } while (0) +- +-#if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO) +-extern void krb5int_des_do_encrypt_2(unsigned DES_INT32 *l, +- unsigned DES_INT32 *r, +- const unsigned DES_INT32 *k); +-extern void krb5int_des_do_decrypt_2(unsigned DES_INT32 *l, +- unsigned DES_INT32 *r, +- const unsigned DES_INT32 *k); +-#define DES_DO_ENCRYPT(L,R,K) krb5int_des_do_encrypt_2(&(L), &(R), (K)) +-#define DES_DO_DECRYPT(L,R,K) krb5int_des_do_decrypt_2(&(L), &(R), (K)) +-#else +-#define DES_DO_ENCRYPT DES_DO_ENCRYPT_1 +-#define DES_DO_DECRYPT DES_DO_DECRYPT_1 +-#endif +- +-/* +- * These are handy dandy utility thingies for straightening out bytes. +- * Included here because they're used a couple of places. +- */ +-#define GET_HALF_BLOCK(lr, ip) ((lr) = load_32_be(ip), (ip) += 4) +-#define PUT_HALF_BLOCK(lr, op) (store_32_be(lr, op), (op) += 4) +- +-/* Shorthand that we'll need in several places, for creating values that +- really can hold 32 bits regardless of the prevailing int size. */ +-#define FF_UINT32 ((unsigned DES_INT32) 0xFF) +- +-#endif /* __DES_TABLES_H__ */ +diff --git a/src/lib/crypto/builtin/des/key_sched.c b/src/lib/crypto/builtin/des/key_sched.c +deleted file mode 100644 +index d6dedd93c6..0000000000 +--- a/src/lib/crypto/builtin/des/key_sched.c ++++ /dev/null +@@ -1,66 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/builtin/des/key_sched.c */ +-/* +- * Copyright 1985, 1986, 1987, 1988, 1990 by the Massachusetts Institute +- * of Technology. +- * All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-/* +- * This routine computes the DES key schedule given a key. The +- * permutations and shifts have been done at compile time, resulting +- * in a direct one-step mapping from the input key to the key +- * schedule. +- * +- * Also checks parity and weak keys. +- * +- * Watch out for the subscripts -- most effectively start at 1 instead +- * of at zero. Maybe some bugs in that area. +- * +- * In case the user wants to cache the computed key schedule, it is +- * passed as an arg. Also implies that caller has explicit control +- * over zeroing both the key schedule and the key. +- * +- * Originally written 6/85 by Steve Miller, MIT Project Athena. +- */ +- +-#include "crypto_int.h" +-#include "des_int.h" +- +-#ifdef K5_BUILTIN_DES +- +-int +-mit_des_key_sched(mit_des_cblock k, mit_des_key_schedule schedule) +-{ +- mit_des_make_key_sched(k,schedule); +- +- if (!mit_des_check_key_parity(k)) /* bad parity --> return -1 */ +- return(-1); +- +- if (mit_des_is_weak_key(k)) +- return(-2); +- +- /* if key was good, return 0 */ +- return 0; +-} +- +-#endif /* K5_BUILTIN_DES */ +diff --git a/src/lib/crypto/builtin/des/keytest.data b/src/lib/crypto/builtin/des/keytest.data +deleted file mode 100644 +index 7ff34eedcf..0000000000 +--- a/src/lib/crypto/builtin/des/keytest.data ++++ /dev/null +@@ -1,171 +0,0 @@ +-0101010101010101 95F8A5E5DD31D900 8000000000000000 +-0101010101010101 DD7F121CA5015619 4000000000000000 +-0101010101010101 2E8653104F3834EA 2000000000000000 +-0101010101010101 4BD388FF6CD81D4F 1000000000000000 +-0101010101010101 20B9E767B2FB1456 0800000000000000 +-0101010101010101 55579380D77138EF 0400000000000000 +-0101010101010101 6CC5DEFAAF04512F 0200000000000000 +-0101010101010101 0D9F279BA5D87260 0100000000000000 +-0101010101010101 D9031B0271BD5A0A 0080000000000000 +-0101010101010101 424250B37C3DD951 0040000000000000 +-0101010101010101 B8061B7ECD9A21E5 0020000000000000 +-0101010101010101 F15D0F286B65BD28 0010000000000000 +-0101010101010101 ADD0CC8D6E5DEBA1 0008000000000000 +-0101010101010101 E6D5F82752AD63D1 0004000000000000 +-0101010101010101 ECBFE3BD3F591A5E 0002000000000000 +-0101010101010101 F356834379D165CD 0001000000000000 +-0101010101010101 2B9F982F20037FA9 0000800000000000 +-0101010101010101 889DE068A16F0BE6 0000400000000000 +-0101010101010101 E19E275D846A1298 0000200000000000 +-0101010101010101 329A8ED523D71AEC 0000100000000000 +-0101010101010101 E7FCE22557D23C97 0000080000000000 +-0101010101010101 12A9F5817FF2D65D 0000040000000000 +-0101010101010101 A484C3AD38DC9C19 0000020000000000 +-0101010101010101 FBE00A8A1EF8AD72 0000010000000000 +-0101010101010101 750D079407521363 0000008000000000 +-0101010101010101 64FEED9C724C2FAF 0000004000000000 +-0101010101010101 F02B263B328E2B60 0000002000000000 +-0101010101010101 9D64555A9A10B852 0000001000000000 +-0101010101010101 D106FF0BED5255D7 0000000800000000 +-0101010101010101 E1652C6B138C64A5 0000000400000000 +-0101010101010101 E428581186EC8F46 0000000200000000 +-0101010101010101 AEB5F5EDE22D1A36 0000000100000000 +-0101010101010101 E943D7568AEC0C5C 0000000080000000 +-0101010101010101 DF98C8276F54B04B 0000000040000000 +-0101010101010101 B160E4680F6C696F 0000000020000000 +-0101010101010101 FA0752B07D9C4AB8 0000000010000000 +-0101010101010101 CA3A2B036DBC8502 0000000008000000 +-0101010101010101 5E0905517BB59BCF 0000000004000000 +-0101010101010101 814EEB3B91D90726 0000000002000000 +-0101010101010101 4D49DB1532919C9F 0000000001000000 +-0101010101010101 25EB5FC3F8CF0621 0000000000800000 +-0101010101010101 AB6A20C0620D1C6F 0000000000400000 +-0101010101010101 79E90DBC98F92CCA 0000000000200000 +-0101010101010101 866ECEDD8072BB0E 0000000000100000 +-0101010101010101 8B54536F2F3E64A8 0000000000080000 +-0101010101010101 EA51D3975595B86B 0000000000040000 +-0101010101010101 CAFFC6AC4542DE31 0000000000020000 +-0101010101010101 8DD45A2DDF90796C 0000000000010000 +-0101010101010101 1029D55E880EC2D0 0000000000008000 +-0101010101010101 5D86CB23639DBEA9 0000000000004000 +-0101010101010101 1D1CA853AE7C0C5F 0000000000002000 +-0101010101010101 CE332329248F3228 0000000000001000 +-0101010101010101 8405D1ABE24FB942 0000000000000800 +-0101010101010101 E643D78090CA4207 0000000000000400 +-0101010101010101 48221B9937748A23 0000000000000200 +-0101010101010101 DD7C0BBD61FAFD54 0000000000000100 +-0101010101010101 2FBC291A570DB5C4 0000000000000080 +-0101010101010101 E07C30D7E4E26E12 0000000000000040 +-0101010101010101 0953E2258E8E90A1 0000000000000020 +-0101010101010101 5B711BC4CEEBF2EE 0000000000000010 +-0101010101010101 CC083F1E6D9E85F6 0000000000000008 +-0101010101010101 D2FD8867D50D2DFE 0000000000000004 +-0101010101010101 06E7EA22CE92708F 0000000000000002 +-0101010101010101 166B40B44ABA4BD6 0000000000000001 +-8001010101010101 0000000000000000 95A8D72813DAA94D +-4001010101010101 0000000000000000 0EEC1487DD8C26D5 +-2001010101010101 0000000000000000 7AD16FFB79C45926 +-1001010101010101 0000000000000000 D3746294CA6A6CF3 +-0801010101010101 0000000000000000 809F5F873C1FD761 +-0401010101010101 0000000000000000 C02FAFFEC989D1FC +-0201010101010101 0000000000000000 4615AA1D33E72F10 +-0180010101010101 0000000000000000 2055123350C00858 +-0140010101010101 0000000000000000 DF3B99D6577397C8 +-0120010101010101 0000000000000000 31FE17369B5288C9 +-0110010101010101 0000000000000000 DFDD3CC64DAE1642 +-0108010101010101 0000000000000000 178C83CE2B399D94 +-0104010101010101 0000000000000000 50F636324A9B7F80 +-0102010101010101 0000000000000000 A8468EE3BC18F06D +-0101800101010101 0000000000000000 A2DC9E92FD3CDE92 +-0101400101010101 0000000000000000 CAC09F797D031287 +-0101200101010101 0000000000000000 90BA680B22AEB525 +-0101100101010101 0000000000000000 CE7A24F350E280B6 +-0101080101010101 0000000000000000 882BFF0AA01A0B87 +-0101040101010101 0000000000000000 25610288924511C2 +-0101020101010101 0000000000000000 C71516C29C75D170 +-0101018001010101 0000000000000000 5199C29A52C9F059 +-0101014001010101 0000000000000000 C22F0A294A71F29F +-0101012001010101 0000000000000000 EE371483714C02EA +-0101011001010101 0000000000000000 A81FBD448F9E522F +-0101010801010101 0000000000000000 4F644C92E192DFED +-0101010401010101 0000000000000000 1AFA9A66A6DF92AE +-0101010201010101 0000000000000000 B3C1CC715CB879D8 +-0101010180010101 0000000000000000 19D032E64AB0BD8B +-0101010140010101 0000000000000000 3CFAA7A7DC8720DC +-0101010120010101 0000000000000000 B7265F7F447AC6F3 +-0101010110010101 0000000000000000 9DB73B3C0D163F54 +-0101010108010101 0000000000000000 8181B65BABF4A975 +-0101010104010101 0000000000000000 93C9B64042EAA240 +-0101010102010101 0000000000000000 5570530829705592 +-0101010101800101 0000000000000000 8638809E878787A0 +-0101010101400101 0000000000000000 41B9A79AF79AC208 +-0101010101200101 0000000000000000 7A9BE42F2009A892 +-0101010101100101 0000000000000000 29038D56BA6D2745 +-0101010101080101 0000000000000000 5495C6ABF1E5DF51 +-0101010101040101 0000000000000000 AE13DBD561488933 +-0101010101020101 0000000000000000 024D1FFA8904E389 +-0101010101018001 0000000000000000 D1399712F99BF02E +-0101010101014001 0000000000000000 14C1D7C1CFFEC79E +-0101010101012001 0000000000000000 1DE5279DAE3BED6F +-0101010101011001 0000000000000000 E941A33F85501303 +-0101010101010801 0000000000000000 DA99DBBC9A03F379 +-0101010101010401 0000000000000000 B7FC92F91D8E92E9 +-0101010101010201 0000000000000000 AE8E5CAA3CA04E85 +-0101010101010180 0000000000000000 9CC62DF43B6EED74 +-0101010101010140 0000000000000000 D863DBB5C59A91A0 +-0101010101010120 0000000000000000 A1AB2190545B91D7 +-0101010101010110 0000000000000000 0875041E64C570F7 +-0101010101010108 0000000000000000 5A594528BEBEF1CC +-0101010101010104 0000000000000000 FCDB3291DE21F0C0 +-0101010101010102 0000000000000000 869EFD7F9F265A09 +-1046913489980131 0000000000000000 88D55E54F54C97B4 +-1007103489988020 0000000000000000 0C0CC00C83EA48FD +-10071034C8980120 0000000000000000 83BC8EF3A6570183 +-1046103489988020 0000000000000000 DF725DCAD94EA2E9 +-1086911519190101 0000000000000000 E652B53B550BE8B0 +-1086911519580101 0000000000000000 AF527120C485CBB0 +-5107B01519580101 0000000000000000 0F04CE393DB926D5 +-1007B01519190101 0000000000000000 C9F00FFC74079067 +-3107915498080101 0000000000000000 7CFD82A593252B4E +-3107919498080101 0000000000000000 CB49A2F9E91363E3 +-10079115B9080140 0000000000000000 00B588BE70D23F56 +-3107911598080140 0000000000000000 406A9A6AB43399AE +-1007D01589980101 0000000000000000 6CB773611DCA9ADA +-9107911589980101 0000000000000000 67FD21C17DBB5D70 +-9107D01589190101 0000000000000000 9592CB4110430787 +-1007D01598980120 0000000000000000 A6B7FF68A318DDD3 +-1007940498190101 0000000000000000 4D102196C914CA16 +-0107910491190401 0000000000000000 2DFA9F4573594965 +-0107910491190101 0000000000000000 B46604816C0E0774 +-0107940491190401 0000000000000000 6E7E6221A4F34E87 +-19079210981A0101 0000000000000000 AA85E74643233199 +-1007911998190801 0000000000000000 2E5A19DB4D1962D6 +-10079119981A0801 0000000000000000 23A866A809D30894 +-1007921098190101 0000000000000000 D812D961F017D320 +-100791159819010B 0000000000000000 055605816E58608F +-1004801598190101 0000000000000000 ABD88E8B1B7716F1 +-1004801598190102 0000000000000000 537AC95BE69DA1E1 +-1004801598190108 0000000000000000 AED0F6AE3C25CDD8 +-1002911598100104 0000000000000000 B3E35A5EE53E7B8D +-1002911598190104 0000000000000000 61C79C71921A2EF8 +-1002911598100201 0000000000000000 E2F5728F0995013C +-1002911698100101 0000000000000000 1AEAC39A61F0A464 +-7CA110454A1A6E57 01A1D6D039776742 690F5B0D9A26939B +-0131D9619DC1376E 5CD54CA83DEF57DA 7A389D10354BD271 +-07A1133E4A0B2686 0248D43806F67172 868EBB51CAB4599A +-3849674C2602319E 51454B582DDF440A 7178876E01F19B2A +-04B915BA43FEB5B6 42FD443059577FA2 AF37FB421F8C4095 +-0113B970FD34F2CE 059B5E0851CF143A 86A560F10EC6D85B +-0170F175468FB5E6 0756D8E0774761D2 0CD3DA020021DC09 +-43297FAD38E373FE 762514B829BF486A EA676B2CB7DB2B7A +-07A7137045DA2A16 3BDD119049372802 DFD64A815CAF1A0F +-04689104C2FD3B2F 26955F6835AF609A 5C513C9C4886C088 +-37D06BB516CB7546 164D5E404F275232 0A2AEEAE3FF4AB77 +-1F08260D1AC2465E 6B056E18759F5CCA EF1BF03E5DFA575A +-584023641ABA6176 004BD6EF09176062 88BF0DB6D70DEE56 +-025816164629B007 480D39006EE762F2 A1F9915541020B56 +-49793EBC79B3258F 437540C8698F3CFA 6FBF1CAFCFFD0556 +-4FB05E1515AB73A7 072D43A077075292 2F22E49BAB7CA1AC +-49E95D6D4CA229BF 02FE55778117F12A 5A6B612CC26CCE4A +-018310DC409B26D6 1D9D5C5018F728C2 5F4C038ED12B2E41 +-1C587F1C13924FEF 305532286D6F295A 63FAC0D034D9F793 +diff --git a/src/lib/crypto/builtin/des/t_verify.c b/src/lib/crypto/builtin/des/t_verify.c +deleted file mode 100644 +index 4a19933cad..0000000000 +--- a/src/lib/crypto/builtin/des/t_verify.c ++++ /dev/null +@@ -1,395 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/builtin/des/t_verify.c */ +-/* +- * Copyright 1988, 1990 by the Massachusetts Institute of Technology. +- * All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +-/* +- * Copyright (C) 1998 by the FundsXpress, INC. +- * +- * All rights reserved. +- * +- * Export of this software from the United States of America may require +- * a specific license from the United States Government. It is the +- * responsibility of any person or organization contemplating export to +- * obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of FundsXpress. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. FundsXpress makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- * +- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR +- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED +- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. +- */ +- +-/* +- * +- * Program to test the correctness of the DES library +- * implementation. +- * +- * exit returns 0 ==> success +- * -1 ==> error +- */ +- +-#include "k5-int.h" +-#include "des_int.h" +-#include +-#include "com_err.h" +- +-static void do_encrypt(unsigned char *, unsigned char *); +-static void do_decrypt(unsigned char *, unsigned char *); +- +-char *progname; +-int nflag = 2; +-int vflag; +-int mflag; +-int zflag; +-int pid; +-int mit_des_debug; +- +-unsigned char cipher_text[64]; +-unsigned char clear_text[64] = "Now is the time for all " ; +-unsigned char clear_text2[64] = "7654321 Now is the time for "; +-unsigned char clear_text3[64] = {2,0,0,0, 1,0,0,0}; +-unsigned char output[64]; +-unsigned char zero_text[8] = {0x0,0,0,0,0,0,0,0}; +-unsigned char msb_text[8] = {0x0,0,0,0, 0,0,0,0x40}; /* to ANSI MSB */ +-unsigned char *input; +- +-/* 0x0123456789abcdef */ +-unsigned char default_key[8] = { +- 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef +-}; +-unsigned char key2[8] = { 0x08,0x19,0x2a,0x3b,0x4c,0x5d,0x6e,0x7f }; +-unsigned char key3[8] = { 0x80,1,1,1,1,1,1,1 }; +-mit_des_cblock s_key; +-unsigned char default_ivec[8] = { +- 0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef +-}; +-unsigned char *ivec; +-unsigned char zero_key[8] = {1,1,1,1,1,1,1,1}; /* just parity bits */ +- +-unsigned char cipher1[8] = { +- 0x25,0xdd,0xac,0x3e,0x96,0x17,0x64,0x67 +-}; +-unsigned char cipher2[8] = { +- 0x3f,0xa4,0x0e,0x8a,0x98,0x4d,0x48,0x15 +-}; +-unsigned char cipher3[64] = { +- 0xe5,0xc7,0xcd,0xde,0x87,0x2b,0xf2,0x7c, +- 0x43,0xe9,0x34,0x00,0x8c,0x38,0x9c,0x0f, +- 0x68,0x37,0x88,0x49,0x9a,0x7c,0x05,0xf6 +-}; +-unsigned char checksum[8] = { +- 0x58,0xd2,0xe7,0x7e,0x86,0x06,0x27,0x33 +-}; +- +-unsigned char zresult[8] = { +- 0x8c, 0xa6, 0x4d, 0xe9, 0xc1, 0xb1, 0x23, 0xa7 +-}; +- +-unsigned char mresult[8] = { +- 0xa3, 0x80, 0xe0, 0x2a, 0x6b, 0xe5, 0x46, 0x96 +-}; +- +- +-/* +- * Can also add : +- * plaintext = 0, key = 0, cipher = 0x8ca64de9c1b123a7 (or is it a 1?) +- */ +- +-mit_des_key_schedule sched; +- +-int +-main(argc,argv) +- int argc; +- char *argv[]; +-{ +- /* Local Declarations */ +- size_t in_length; +- int retval; +- int i, j; +- +-#ifdef WINDOWS +- /* Set screen window buffer to infinite size -- MS default is tiny. */ +- _wsetscreenbuf (fileno (stdout), _WINBUFINF); +-#endif +- progname=argv[0]; /* salt away invoking program */ +- +- while (--argc > 0 && (*++argv)[0] == '-') +- for (i=1; argv[0][i] != '\0'; i++) { +- switch (argv[0][i]) { +- +- /* debug flag */ +- case 'd': +- mit_des_debug=3; +- continue; +- +- case 'z': +- zflag = 1; +- continue; +- +- case 'm': +- mflag = 1; +- continue; +- +- default: +- printf("%s: illegal flag \"%c\" ", +- progname,argv[0][i]); +- exit(1); +- } +- }; +- +- if (argc) { +- fprintf(stderr, "Usage: %s [-dmz]\n", progname); +- exit(1); +- } +- +- /* do some initialisation */ +- +- /* use known input and key */ +- +- /* ECB zero text zero key */ +- if (zflag) { +- input = zero_text; +- mit_des_key_sched(zero_key, sched); +- printf("plaintext = key = 0, cipher = 0x8ca64de9c1b123a7\n"); +- do_encrypt(input,cipher_text); +- printf("\tcipher = (low to high bytes)\n\t\t"); +- for (j = 0; j<=7; j++) +- printf("%02x ",cipher_text[j]); +- printf("\n"); +- do_decrypt(output,cipher_text); +- if ( memcmp((char *)cipher_text, (char *)zresult, 8) ) { +- printf("verify: error in zero key test\n"); +- exit(-1); +- } +- +- exit(0); +- } +- +- if (mflag) { +- input = msb_text; +- mit_des_key_sched(key3, sched); +- printf("plaintext = 0x00 00 00 00 00 00 00 40, "); +- printf("key = 0x80 01 01 01 01 01 01 01\n"); +- printf(" cipher = 0xa380e02a6be54696\n"); +- do_encrypt(input,cipher_text); +- printf("\tcipher = (low to high bytes)\n\t\t"); +- for (j = 0; j<=7; j++) { +- printf("%02x ",cipher_text[j]); +- } +- printf("\n"); +- do_decrypt(output,cipher_text); +- if ( memcmp((char *)cipher_text, (char *)mresult, 8) ) { +- printf("verify: error in msb test\n"); +- exit(-1); +- } +- exit(0); +- } +- +- /* ECB mode Davies and Price */ +- { +- input = zero_text; +- mit_des_key_sched(key2, sched); +- printf("Examples per FIPS publication 81, keys ivs and cipher\n"); +- printf("in hex. These are the correct answers, see below for\n"); +- printf("the actual answers.\n\n"); +- printf("Examples per Davies and Price.\n\n"); +- printf("EXAMPLE ECB\tkey = 08192a3b4c5d6e7f\n"); +- printf("\tclear = 0\n"); +- printf("\tcipher = 25 dd ac 3e 96 17 64 67\n"); +- printf("ACTUAL ECB\n"); +- printf("\tclear \"%s\"\n", input); +- do_encrypt(input,cipher_text); +- printf("\tcipher = (low to high bytes)\n\t\t"); +- for (j = 0; j<=7; j++) +- printf("%02x ",cipher_text[j]); +- printf("\n\n"); +- do_decrypt(output,cipher_text); +- if ( memcmp((char *)cipher_text, (char *)cipher1, 8) ) { +- printf("verify: error in ECB encryption\n"); +- exit(-1); +- } +- else +- printf("verify: ECB encryption is correct\n\n"); +- } +- +- /* ECB mode */ +- { +- mit_des_key_sched(default_key, sched); +- input = clear_text; +- ivec = default_ivec; +- printf("EXAMPLE ECB\tkey = 0123456789abcdef\n"); +- printf("\tclear = \"Now is the time for all \"\n"); +- printf("\tcipher = 3f a4 0e 8a 98 4d 48 15 ...\n"); +- printf("ACTUAL ECB\n\tclear \"%s\"",input); +- do_encrypt(input,cipher_text); +- printf("\n\tcipher = (low to high bytes)\n\t\t"); +- for (j = 0; j<=7; j++) { +- printf("%02x ",cipher_text[j]); +- } +- printf("\n\n"); +- do_decrypt(output,cipher_text); +- if ( memcmp((char *)cipher_text, (char *)cipher2, 8) ) { +- printf("verify: error in ECB encryption\n"); +- exit(-1); +- } +- else +- printf("verify: ECB encryption is correct\n\n"); +- } +- +- /* CBC mode */ +- printf("EXAMPLE CBC\tkey = 0123456789abcdef"); +- printf("\tiv = 1234567890abcdef\n"); +- printf("\tclear = \"Now is the time for all \"\n"); +- printf("\tcipher =\te5 c7 cd de 87 2b f2 7c\n"); +- printf("\t\t\t43 e9 34 00 8c 38 9c 0f\n"); +- printf("\t\t\t68 37 88 49 9a 7c 05 f6\n"); +- +- printf("ACTUAL CBC\n\tclear \"%s\"\n",input); +- in_length = strlen((char *)input); +- if ((retval = mit_des_cbc_encrypt((const mit_des_cblock *) input, +- (mit_des_cblock *) cipher_text, +- (size_t) in_length, +- sched, +- ivec, +- MIT_DES_ENCRYPT))) { +- com_err("des verify", retval, "can't encrypt"); +- exit(-1); +- } +- printf("\tciphertext = (low to high bytes)\n"); +- for (i = 0; i <= 2; i++) { +- printf("\t\t"); +- for (j = 0; j <= 7; j++) { +- printf("%02x ",cipher_text[i*8+j]); +- } +- printf("\n"); +- } +- if ((retval = mit_des_cbc_encrypt((const mit_des_cblock *) cipher_text, +- (mit_des_cblock *) clear_text, +- (size_t) in_length, +- sched, +- ivec, +- MIT_DES_DECRYPT))) { +- com_err("des verify", retval, "can't decrypt"); +- exit(-1); +- } +- printf("\tdecrypted clear_text = \"%s\"\n",clear_text); +- +- if ( memcmp((char *)cipher_text, (char *)cipher3, in_length) ) { +- printf("verify: error in CBC encryption\n"); +- exit(-1); +- } +- else +- printf("verify: CBC encryption is correct\n\n"); +- +- printf("EXAMPLE CBC checksum"); +- printf("\tkey = 0123456789abcdef\tiv = 1234567890abcdef\n"); +- printf("\tclear =\t\t\"7654321 Now is the time for \"\n"); +- printf("\tchecksum\t58 d2 e7 7e 86 06 27 33, "); +- printf("or some part thereof\n"); +- input = clear_text2; +- mit_des_cbc_cksum(input,cipher_text, strlen((char *)input), +- sched,ivec); +- printf("ACTUAL CBC checksum\n"); +- printf("\t\tencrypted cksum = (low to high bytes)\n\t\t"); +- for (j = 0; j<=7; j++) +- printf("%02x ",cipher_text[j]); +- printf("\n\n"); +- if ( memcmp((char *)cipher_text, (char *)checksum, 8) ) { +- printf("verify: error in CBC checksum\n"); +- exit(-1); +- } +- else +- printf("verify: CBC checksum is correct\n\n"); +- +- exit(0); +-} +- +-static void +-do_encrypt(in,out) +- unsigned char *in; +- unsigned char *out; +-{ +- int i, j; +- for (i =1; i<=nflag; i++) { +- mit_des_cbc_encrypt((const mit_des_cblock *)in, +- (mit_des_cblock *)out, +- 8, +- sched, +- zero_text, +- MIT_DES_ENCRYPT); +- if (mit_des_debug) { +- printf("\nclear %s\n",in); +- for (j = 0; j<=7; j++) +- printf("%02X ",in[j] & 0xff); +- printf("\tcipher "); +- for (j = 0; j<=7; j++) +- printf("%02X ",out[j] & 0xff); +- } +- } +-} +- +-static void +-do_decrypt(in,out) +- unsigned char *out; +- unsigned char *in; +- /* try to invert it */ +-{ +- int i, j; +- for (i =1; i<=nflag; i++) { +- mit_des_cbc_encrypt((const mit_des_cblock *)out, +- (mit_des_cblock *)in, +- 8, +- sched, +- zero_text, +- MIT_DES_DECRYPT); +- if (mit_des_debug) { +- printf("clear %s\n",in); +- for (j = 0; j<=7; j++) +- printf("%02X ",in[j] & 0xff); +- printf("\tcipher "); +- for (j = 0; j<=7; j++) +- printf("%02X ",out[j] & 0xff); +- } +- } +-} +- +-/* +- * Fake out the DES library, for the purposes of testing. +- */ +- +-int +-mit_des_is_weak_key(key) +- mit_des_cblock key; +-{ +- return 0; /* fake it out for testing */ +-} +diff --git a/src/lib/crypto/builtin/des/weak_key.c b/src/lib/crypto/builtin/des/weak_key.c +deleted file mode 100644 +index f8304a3638..0000000000 +--- a/src/lib/crypto/builtin/des/weak_key.c ++++ /dev/null +@@ -1,90 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/builtin/des/weak_key.c */ +-/* +- * Copyright 1989,1990 by the Massachusetts Institute of Technology. +- * All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-/* +- * Under U.S. law, this software may not be exported outside the US +- * without license from the U.S. Commerce department. +- * +- * These routines form the library interface to the DES facilities. +- * +- * Originally written 8/85 by Steve Miller, MIT Project Athena. +- */ +- +-#include "crypto_int.h" +-#include "des_int.h" +- +-#ifdef K5_BUILTIN_DES +- +-/* +- * The following are the weak DES keys: +- */ +-static const mit_des_cblock weak[16] = { +- /* weak keys */ +- {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01}, +- {0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe}, +- {0x1f,0x1f,0x1f,0x1f,0x0e,0x0e,0x0e,0x0e}, +- {0xe0,0xe0,0xe0,0xe0,0xf1,0xf1,0xf1,0xf1}, +- +- /* semi-weak */ +- {0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe}, +- {0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01}, +- +- {0x1f,0xe0,0x1f,0xe0,0x0e,0xf1,0x0e,0xf1}, +- {0xe0,0x1f,0xe0,0x1f,0xf1,0x0e,0xf1,0x0e}, +- +- {0x01,0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1}, +- {0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1,0x01}, +- +- {0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e,0xfe}, +- {0xfe,0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e}, +- +- {0x01,0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e}, +- {0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e,0x01}, +- +- {0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1,0xfe}, +- {0xfe,0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1} +-}; +- +-/* +- * mit_des_is_weak_key: returns true iff key is a [semi-]weak des key. +- * +- * Requires: key has correct odd parity. +- */ +-int +-mit_des_is_weak_key(mit_des_cblock key) +-{ +- unsigned int i; +- const mit_des_cblock *weak_p = weak; +- +- for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) { +- if (!memcmp(weak_p++,key,sizeof(mit_des_cblock))) +- return 1; +- } +- +- return 0; +-} +- +-#endif /* K5_BUILTIN_DES */ +diff --git a/src/lib/crypto/builtin/enc_provider/Makefile.in b/src/lib/crypto/builtin/enc_provider/Makefile.in +index 6ad7cbd4e0..655966b255 100644 +--- a/src/lib/crypto/builtin/enc_provider/Makefile.in ++++ b/src/lib/crypto/builtin/enc_provider/Makefile.in +@@ -1,6 +1,6 @@ + mydir=lib$(S)crypto$(S)builtin$(S)enc_provider + BUILDTOP=$(REL)..$(S)..$(S)..$(S).. +-LOCALINCLUDES = -I$(srcdir)/../des -I$(srcdir)/../aes -I$(srcdir)/../camellia \ ++LOCALINCLUDES = -I$(srcdir)/../aes -I$(srcdir)/../camellia \ + -I$(srcdir)/../../krb $(CRYPTO_IMPL_CFLAGS) + + ##DOS##BUILDTOP = ..\..\..\.. +@@ -8,19 +8,16 @@ LOCALINCLUDES = -I$(srcdir)/../des -I$(srcdir)/../aes -I$(srcdir)/../camellia \ + ##DOS##OBJFILE = ..\..\$(OUTPRE)enc_provider.lst + + STLIBOBJS= \ +- des3.o \ + rc4.o \ + aes.o \ + camellia.o + + OBJS= \ +- $(OUTPRE)des3.$(OBJEXT) \ + $(OUTPRE)aes.$(OBJEXT) \ + $(OUTPRE)camellia.$(OBJEXT) \ + $(OUTPRE)rc4.$(OBJEXT) + + SRCS= \ +- $(srcdir)/des3.c \ + $(srcdir)/aes.c \ + $(srcdir)/camellia.c \ + $(srcdir)/rc4.c +diff --git a/src/lib/crypto/builtin/enc_provider/deps b/src/lib/crypto/builtin/enc_provider/deps +index a3414a38ec..dc29d9fce8 100644 +--- a/src/lib/crypto/builtin/enc_provider/deps ++++ b/src/lib/crypto/builtin/enc_provider/deps +@@ -1,17 +1,6 @@ + # + # Generated makefile dependencies follow. + # +-des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ +- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ +- $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des3.c + aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ +diff --git a/src/lib/crypto/builtin/enc_provider/des3.c b/src/lib/crypto/builtin/enc_provider/des3.c +deleted file mode 100644 +index c2634d5e10..0000000000 +--- a/src/lib/crypto/builtin/enc_provider/des3.c ++++ /dev/null +@@ -1,109 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* +- * Copyright (C) 1998 by the FundsXpress, INC. +- * +- * All rights reserved. +- * +- * Export of this software from the United States of America may require +- * a specific license from the United States Government. It is the +- * responsibility of any person or organization contemplating export to +- * obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of FundsXpress. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. FundsXpress makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- * +- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR +- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED +- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. +- */ +- +-#include "crypto_int.h" +-#include "des_int.h" +- +-#ifdef K5_BUILTIN_DES +- +-static krb5_error_code +-validate_and_schedule(krb5_key key, const krb5_data *ivec, +- const krb5_crypto_iov *data, size_t num_data, +- mit_des3_key_schedule *schedule) +-{ +- if (key->keyblock.length != 24) +- return(KRB5_BAD_KEYSIZE); +- if (iov_total_length(data, num_data, FALSE) % 8 != 0) +- return(KRB5_BAD_MSIZE); +- if (ivec && (ivec->length != 8)) +- return(KRB5_BAD_MSIZE); +- +- switch (mit_des3_key_sched(*(mit_des3_cblock *)key->keyblock.contents, +- *schedule)) { +- case -1: +- return(KRB5DES_BAD_KEYPAR); +- case -2: +- return(KRB5DES_WEAK_KEY); +- } +- return 0; +-} +- +-static krb5_error_code +-k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, +- size_t num_data) +-{ +- mit_des3_key_schedule schedule; +- krb5_error_code err; +- +- err = validate_and_schedule(key, ivec, data, num_data, &schedule); +- if (err) +- return err; +- +- /* this has a return value, but the code always returns zero */ +- krb5int_des3_cbc_encrypt(data, num_data, +- schedule[0], schedule[1], schedule[2], +- ivec != NULL ? (unsigned char *) ivec->data : +- NULL); +- +- zap(schedule, sizeof(schedule)); +- +- return(0); +-} +- +-static krb5_error_code +-k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, +- size_t num_data) +-{ +- mit_des3_key_schedule schedule; +- krb5_error_code err; +- +- err = validate_and_schedule(key, ivec, data, num_data, &schedule); +- if (err) +- return err; +- +- /* this has a return value, but the code always returns zero */ +- krb5int_des3_cbc_decrypt(data, num_data, +- schedule[0], schedule[1], schedule[2], +- ivec != NULL ? (unsigned char *) ivec->data : +- NULL); +- +- zap(schedule, sizeof(schedule)); +- +- return 0; +-} +- +-const struct krb5_enc_provider krb5int_enc_des3 = { +- 8, +- 21, 24, +- k5_des3_encrypt, +- k5_des3_decrypt, +- NULL, +- krb5int_des_init_state, +- krb5int_default_free_state +-}; +- +-#endif /* K5_BUILTIN_DES */ +diff --git a/src/lib/crypto/crypto_tests/t_cf2.expected b/src/lib/crypto/crypto_tests/t_cf2.expected +index f8251a16cb..bc6aa50c84 100644 +--- a/src/lib/crypto/crypto_tests/t_cf2.expected ++++ b/src/lib/crypto/crypto_tests/t_cf2.expected +@@ -1,6 +1,5 @@ + 97df97e4b798b29eb31ed7280287a92a + 4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b +-e58f9eb643862c13ad38e529313462a7f73e62834fe54a01 + 24d7f6b6bae4e5c00d2082c5ebab3672 + edd02a39d2dbde31611c16e610be062c + 67f6ea530aea85a37dcbb23349ea52dcc61ca8493ff557252327fd8304341584 +diff --git a/src/lib/crypto/crypto_tests/t_cf2.in b/src/lib/crypto/crypto_tests/t_cf2.in +index 73e2f8fbc9..c4d23b506b 100644 +--- a/src/lib/crypto/crypto_tests/t_cf2.in ++++ b/src/lib/crypto/crypto_tests/t_cf2.in +@@ -8,11 +8,6 @@ key1 + key2 + a + b +-16 +-key1 +-key2 +-a +-b + 23 + key1 + key2 +diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c +index 557340ec5e..9f9a177ef0 100644 +--- a/src/lib/crypto/crypto_tests/t_cksums.c ++++ b/src/lib/crypto/crypto_tests/t_cksums.c +@@ -59,16 +59,6 @@ struct test { + "\xDA\x39\xA3\xEE\x5E\x6B\x4B\x0D\x32\x55\xBF\xEF\x95\x60\x18\x90" + "\xAF\xD8\x07\x09" } + }, +- { +- { KV5M_DATA, 9, "six seven" }, +- CKSUMTYPE_HMAC_SHA1_DES3, ENCTYPE_DES3_CBC_SHA1, 2, +- { KV5M_DATA, 24, +- "\x7A\x25\xDF\x89\x92\x29\x6D\xCE\xDA\x0E\x13\x5B\xC4\x04\x6E\x23" +- "\x75\xB3\xC1\x4C\x98\xFB\xC1\x62" }, +- { KV5M_DATA, 20, +- "\x0E\xEF\xC9\xC3\xE0\x49\xAA\xBC\x1B\xA5\xC4\x01\x67\x7D\x9A\xB6" +- "\x99\x08\x2B\xB4" } +- }, + { + { KV5M_DATA, 37, "eight nine ten eleven twelve thirteen" }, + CKSUMTYPE_HMAC_SHA1_96_AES128, ENCTYPE_AES128_CTS_HMAC_SHA1_96, 3, +diff --git a/src/lib/crypto/crypto_tests/t_decrypt.c b/src/lib/crypto/crypto_tests/t_decrypt.c +index a40a855007..716f2c337a 100644 +--- a/src/lib/crypto/crypto_tests/t_decrypt.c ++++ b/src/lib/crypto/crypto_tests/t_decrypt.c +@@ -39,62 +39,6 @@ struct test { + krb5_data keybits; + krb5_data ciphertext; + } test_cases[] = { +- { +- ENCTYPE_DES3_CBC_SHA1, +- { KV5M_DATA, 0, "", }, 0, +- { KV5M_DATA, 24, +- "\x7A\x25\xDF\x89\x92\x29\x6D\xCE\xDA\x0E\x13\x5B\xC4\x04\x6E\x23" +- "\x75\xB3\xC1\x4C\x98\xFB\xC1\x62" }, +- { KV5M_DATA, 28, +- "\x54\x8A\xF4\xD5\x04\xF7\xD7\x23\x30\x3F\x12\x17\x5F\xE8\x38\x6B" +- "\x7B\x53\x35\xA9\x67\xBA\xD6\x1F\x3B\xF0\xB1\x43" } +- }, +- { +- ENCTYPE_DES3_CBC_SHA1, +- { KV5M_DATA, 1, "1", }, 1, +- { KV5M_DATA, 24, +- "\xBC\x07\x83\x89\x15\x13\xD5\xCE\x57\xBC\x13\x8F\xD3\xC1\x1A\xE6" +- "\x40\x45\x23\x85\x32\x29\x62\xB6" }, +- { KV5M_DATA, 36, +- "\x9C\x3C\x1D\xBA\x47\x47\xD8\x5A\xF2\x91\x6E\x47\x45\xF2\xDC\xE3" +- "\x80\x46\x79\x6E\x51\x04\xBC\xCD\xFB\x66\x9A\x91\xD4\x4B\xC3\x56" +- "\x66\x09\x45\xC7" } +- }, +- { +- ENCTYPE_DES3_CBC_SHA1, +- { KV5M_DATA, 9, "9 bytesss", }, 2, +- { KV5M_DATA, 24, +- "\x2F\xD0\xF7\x25\xCE\x04\x10\x0D\x2F\xC8\xA1\x80\x98\x83\x1F\x85" +- "\x0B\x45\xD9\xEF\x85\x0B\xD9\x20" }, +- { KV5M_DATA, 44, +- "\xCF\x91\x44\xEB\xC8\x69\x79\x81\x07\x5A\x8B\xAD\x8D\x74\xE5\xD7" +- "\xD5\x91\xEB\x7D\x97\x70\xC7\xAD\xA2\x5E\xE8\xC5\xB3\xD6\x94\x44" +- "\xDF\xEC\x79\xA5\xB7\xA0\x14\x82\xD9\xAF\x74\xE6" } +- }, +- { +- ENCTYPE_DES3_CBC_SHA1, +- { KV5M_DATA, 13, "13 bytes byte", }, 3, +- { KV5M_DATA, 24, +- "\x0D\xD5\x20\x94\xE0\xF4\x1C\xEC\xCB\x5B\xE5\x10\xA7\x64\xB3\x51" +- "\x76\xE3\x98\x13\x32\xF1\xE5\x98" }, +- { KV5M_DATA, 44, +- "\x83\x9A\x17\x08\x1E\xCB\xAF\xBC\xDC\x91\xB8\x8C\x69\x55\xDD\x3C" +- "\x45\x14\x02\x3C\xF1\x77\xB7\x7B\xF0\xD0\x17\x7A\x16\xF7\x05\xE8" +- "\x49\xCB\x77\x81\xD7\x6A\x31\x6B\x19\x3F\x8D\x30" } +- }, +- { +- ENCTYPE_DES3_CBC_SHA1, +- { KV5M_DATA, 30, "30 bytes bytes bytes bytes byt", }, 4, +- { KV5M_DATA, 24, +- "\xF1\x16\x86\xCB\xBC\x9E\x23\xEA\x54\xFE\xCD\x2A\x3D\xCD\xFB\x20" +- "\xB6\xFE\x98\xBF\x26\x45\xC4\xC4" }, +- { KV5M_DATA, 60, +- "\x89\x43\x3E\x83\xFD\x0E\xA3\x66\x6C\xFF\xCD\x18\xD8\xDE\xEB\xC5" +- "\x3B\x9A\x34\xED\xBE\xB1\x59\xD9\xF6\x67\xC6\xC2\xB9\xA9\x64\x40" +- "\x1D\x55\xE7\xE9\xC6\x8D\x64\x8D\x65\xC3\xAA\x84\xFF\xA3\x79\x0C" +- "\x14\xA8\x64\xDA\x80\x73\xA9\xA9\x5C\x4B\xA2\xBC" } +- }, +- + { + ENCTYPE_ARCFOUR_HMAC, + { KV5M_DATA, 0, "", }, 0, +@@ -524,7 +468,6 @@ printhex(const char *head, void *data, size_t len) + + static krb5_enctype + enctypes[] = { +- ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_ARCFOUR_HMAC, + ENCTYPE_ARCFOUR_HMAC_EXP, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, +diff --git a/src/lib/crypto/crypto_tests/t_derive.c b/src/lib/crypto/crypto_tests/t_derive.c +index afbf7477f6..93ce30da20 100644 +--- a/src/lib/crypto/crypto_tests/t_derive.c ++++ b/src/lib/crypto/crypto_tests/t_derive.c +@@ -38,41 +38,6 @@ struct test { + enum deriv_alg alg; + krb5_data expected_key; + } test_cases[] = { +- /* Kc, Ke, Kei for a DES3 key */ +- { +- ENCTYPE_DES3_CBC_SHA1, +- { KV5M_DATA, 24, +- "\x85\x0B\xB5\x13\x58\x54\x8C\xD0\x5E\x86\x76\x8C\x31\x3E\x3B\xFE" +- "\xF7\x51\x19\x37\xDC\xF7\x2C\x3E" }, +- { KV5M_DATA, 5, "\0\0\0\2\x99" }, +- DERIVE_RFC3961, +- { KV5M_DATA, 24, +- "\xF7\x8C\x49\x6D\x16\xE6\xC2\xDA\xE0\xE0\xB6\xC2\x40\x57\xA8\x4C" +- "\x04\x26\xAE\xEF\x26\xFD\x6D\xCE" } +- }, +- { +- ENCTYPE_DES3_CBC_SHA1, +- { KV5M_DATA, 24, +- "\x85\x0B\xB5\x13\x58\x54\x8C\xD0\x5E\x86\x76\x8C\x31\x3E\x3B\xFE" +- "\xF7\x51\x19\x37\xDC\xF7\x2C\x3E" }, +- { KV5M_DATA, 5, "\0\0\0\2\xAA" }, +- DERIVE_RFC3961, +- { KV5M_DATA, 24, +- "\x5B\x57\x23\xD0\xB6\x34\xCB\x68\x4C\x3E\xBA\x52\x64\xE9\xA7\x0D" +- "\x52\xE6\x83\x23\x1A\xD3\xC4\xCE" } +- }, +- { +- ENCTYPE_DES3_CBC_SHA1, +- { KV5M_DATA, 24, +- "\x85\x0B\xB5\x13\x58\x54\x8C\xD0\x5E\x86\x76\x8C\x31\x3E\x3B\xFE" +- "\xF7\x51\x19\x37\xDC\xF7\x2C\x3E" }, +- { KV5M_DATA, 5, "\0\0\0\2\x55" }, +- DERIVE_RFC3961, +- { KV5M_DATA, 24, +- "\xA7\x7C\x94\x98\x0E\x9B\x73\x45\xA8\x15\x25\xC4\x23\xA7\x37\xCE" +- "\x67\xF4\xCD\x91\xB6\xB3\xDA\x45" } +- }, +- + /* Kc, Ke, Ki for an AES-128 key */ + { + ENCTYPE_AES128_CTS_HMAC_SHA1_96, +@@ -286,7 +251,6 @@ static const struct krb5_enc_provider * + get_enc_provider(krb5_enctype enctype) + { + switch (enctype) { +- case ENCTYPE_DES3_CBC_SHA1: return &krb5int_enc_des3; + case ENCTYPE_AES128_CTS_HMAC_SHA1_96: return &krb5int_enc_aes128; + case ENCTYPE_AES256_CTS_HMAC_SHA1_96: return &krb5int_enc_aes256; + case ENCTYPE_CAMELLIA128_CTS_CMAC: return &krb5int_enc_camellia128; +diff --git a/src/lib/crypto/crypto_tests/t_encrypt.c b/src/lib/crypto/crypto_tests/t_encrypt.c +index bd9b94691c..290a72e1e0 100644 +--- a/src/lib/crypto/crypto_tests/t_encrypt.c ++++ b/src/lib/crypto/crypto_tests/t_encrypt.c +@@ -37,7 +37,6 @@ + + /* What enctypes should we test?*/ + krb5_enctype interesting_enctypes[] = { +- ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_ARCFOUR_HMAC, + ENCTYPE_ARCFOUR_HMAC_EXP, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, +diff --git a/src/lib/crypto/crypto_tests/t_short.c b/src/lib/crypto/crypto_tests/t_short.c +index d4c2b97dfd..4466b71158 100644 +--- a/src/lib/crypto/crypto_tests/t_short.c ++++ b/src/lib/crypto/crypto_tests/t_short.c +@@ -34,7 +34,6 @@ + #include "k5-int.h" + + krb5_enctype interesting_enctypes[] = { +- ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_ARCFOUR_HMAC, + ENCTYPE_ARCFOUR_HMAC_EXP, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, +diff --git a/src/lib/crypto/crypto_tests/t_str2key.c b/src/lib/crypto/crypto_tests/t_str2key.c +index cdb1acc6d0..ef4c4a7d3b 100644 +--- a/src/lib/crypto/crypto_tests/t_str2key.c ++++ b/src/lib/crypto/crypto_tests/t_str2key.c +@@ -35,58 +35,6 @@ struct test { + krb5_error_code expected_err; + krb5_boolean allow_weak; + } test_cases[] = { +- /* Test vectors from RFC 3961 appendix A.4. */ +- { +- ENCTYPE_DES3_CBC_SHA1, +- "password", +- { KV5M_DATA, 21, "ATHENA.MIT.EDUraeburn" }, +- { KV5M_DATA, 0, NULL }, +- { KV5M_DATA, 24, "\x85\x0B\xB5\x13\x58\x54\x8C\xD0\x5E\x86\x76\x8C" +- "\x31\x3E\x3B\xFE\xF7\x51\x19\x37\xDC\xF7\x2C\x3E" }, +- 0, +- FALSE +- }, +- { +- ENCTYPE_DES3_CBC_SHA1, +- "potatoe", +- { KV5M_DATA, 19, "WHITEHOUSE.GOVdanny" }, +- { KV5M_DATA, 0, NULL }, +- { KV5M_DATA, 24, "\xDF\xCD\x23\x3D\xD0\xA4\x32\x04\xEA\x6D\xC4\x37" +- "\xFB\x15\xE0\x61\xB0\x29\x79\xC1\xF7\x4F\x37\x7A" }, +- 0, +- FALSE +- }, +- { +- ENCTYPE_DES3_CBC_SHA1, +- "penny", +- { KV5M_DATA, 19, "EXAMPLE.COMbuckaroo" }, +- { KV5M_DATA, 0, NULL }, +- { KV5M_DATA, 24, "\x6D\x2F\xCD\xF2\xD6\xFB\xBC\x3D\xDC\xAD\xB5\xDA" +- "\x57\x10\xA2\x34\x89\xB0\xD3\xB6\x9D\x5D\x9D\x4A" }, +- 0, +- FALSE +- }, +- { +- ENCTYPE_DES3_CBC_SHA1, +- "\xC3\x9F", +- { KV5M_DATA, 23, "ATHENA.MIT.EDUJuri\xC5\xA1\x69\xC4\x87" }, +- { KV5M_DATA, 0, NULL }, +- { KV5M_DATA, 24, "\x16\xD5\xA4\x0E\x1C\xE3\xBA\xCB\x61\xB9\xDC\xE0" +- "\x04\x70\x32\x4C\x83\x19\x73\xA7\xB9\x52\xFE\xB0" }, +- 0, +- FALSE +- }, +- { +- ENCTYPE_DES3_CBC_SHA1, +- "\xF0\x9D\x84\x9E", +- { KV5M_DATA, 18, "EXAMPLE.COMpianist" }, +- { KV5M_DATA, 0, NULL }, +- { KV5M_DATA, 24, "\x85\x76\x37\x26\x58\x5D\xBC\x1C\xCE\x6E\xC4\x3E" +- "\x1F\x75\x1F\x07\xF1\xC4\xCB\xB0\x98\xF4\x0B\x19" }, +- 0, +- FALSE +- }, +- + /* Test vectors from RFC 3962 appendix B. */ + { + ENCTYPE_AES128_CTS_HMAC_SHA1_96, +diff --git a/src/lib/crypto/crypto_tests/vectors.c b/src/lib/crypto/crypto_tests/vectors.c +index bcf5c9106f..eb107dbcd2 100644 +--- a/src/lib/crypto/crypto_tests/vectors.c ++++ b/src/lib/crypto/crypto_tests/vectors.c +@@ -190,8 +190,6 @@ test_s2k (krb5_enctype enctype) + } + } + +-static void test_des3_s2k () { test_s2k (ENCTYPE_DES3_CBC_SHA1); } +- + static void + keyToData (krb5_keyblock *k, krb5_data *d) + { +@@ -208,8 +206,6 @@ void check_error (int r, int line) { + } + #define CHECK check_error(r, __LINE__) + +-extern struct krb5_enc_provider krb5int_enc_des3; +-struct krb5_enc_provider *enc = &krb5int_enc_des3; + extern struct krb5_enc_provider krb5int_enc_aes128, krb5int_enc_aes256; + + void DK (krb5_keyblock *out, krb5_keyblock *in, const krb5_data *usage) { +diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in +index cb2e40a3a5..f66698bd53 100644 +--- a/src/lib/crypto/krb/Makefile.in ++++ b/src/lib/crypto/krb/Makefile.in +@@ -47,7 +47,6 @@ STLIBOBJS=\ + prf.o \ + prf_aes2.o \ + prf_cmac.o \ +- prf_des.o \ + prf_dk.o \ + prf_rc4.o \ + prng.o \ +@@ -103,7 +102,6 @@ OBJS=\ + $(OUTPRE)prf.$(OBJEXT) \ + $(OUTPRE)prf_aes2.$(OBJEXT) \ + $(OUTPRE)prf_cmac.$(OBJEXT) \ +- $(OUTPRE)prf_des.$(OBJEXT) \ + $(OUTPRE)prf_dk.$(OBJEXT) \ + $(OUTPRE)prf_rc4.$(OBJEXT) \ + $(OUTPRE)prng.$(OBJEXT) \ +@@ -159,7 +157,6 @@ SRCS=\ + $(srcdir)/prf.c \ + $(srcdir)/prf_aes2.c \ + $(srcdir)/prf_cmac.c \ +- $(srcdir)/prf_des.c \ + $(srcdir)/prf_dk.c \ + $(srcdir)/prf_rc4.c \ + $(srcdir)/prng.c \ +diff --git a/src/lib/crypto/krb/cksumtypes.c b/src/lib/crypto/krb/cksumtypes.c +index f7ba322f24..25a3ffd2d2 100644 +--- a/src/lib/crypto/krb/cksumtypes.c ++++ b/src/lib/crypto/krb/cksumtypes.c +@@ -52,12 +52,6 @@ const struct krb5_cksumtypes krb5int_cksumtypes_list[] = { + krb5int_unkeyed_checksum, NULL, + 20, 20, CKSUM_UNKEYED }, + +- { CKSUMTYPE_HMAC_SHA1_DES3, +- "hmac-sha1-des3", { "hmac-sha1-des3-kd" }, "HMAC-SHA1 DES3 key", +- &krb5int_enc_des3, &krb5int_hash_sha1, +- krb5int_dk_checksum, NULL, +- 20, 20, 0 }, +- + { CKSUMTYPE_HMAC_MD5_ARCFOUR, + "hmac-md5-rc4", { "hmac-md5-enc", "hmac-md5-earcfour" }, + "Microsoft HMAC MD5", +diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h +index 3629616d96..1ee4b30e02 100644 +--- a/src/lib/crypto/krb/crypto_int.h ++++ b/src/lib/crypto/krb/crypto_int.h +@@ -332,8 +332,6 @@ krb5_error_code krb5int_aes2_string_to_key(const struct krb5_keytypes *enc, + /* Random to key */ + krb5_error_code k5_rand2key_direct(const krb5_data *randombits, + krb5_keyblock *keyblock); +-krb5_error_code k5_rand2key_des3(const krb5_data *randombits, +- krb5_keyblock *keyblock); + + /* Pseudo-random function */ + krb5_error_code krb5int_des_prf(const struct krb5_keytypes *ktp, +@@ -411,11 +409,6 @@ krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage); + /* Ensure library initialization has occurred. */ + int krb5int_crypto_init(void); + +-/* DES default state initialization handler (used by module enc providers). */ +-krb5_error_code krb5int_des_init_state(const krb5_keyblock *key, +- krb5_keyusage keyusage, +- krb5_data *state_out); +- + /* Default state cleanup handler (used by module enc providers). */ + void krb5int_default_free_state(krb5_data *state); + +@@ -468,7 +461,6 @@ void k5_iov_cursor_put(struct iov_cursor *cursor, unsigned char *block); + /* Modules must implement the k5_sha256() function prototyped in k5-int.h. */ + + /* Modules must implement the following enc_providers and hash_providers: */ +-extern const struct krb5_enc_provider krb5int_enc_des3; + extern const struct krb5_enc_provider krb5int_enc_arcfour; + extern const struct krb5_enc_provider krb5int_enc_aes128; + extern const struct krb5_enc_provider krb5int_enc_aes256; +@@ -485,9 +477,6 @@ extern const struct krb5_hash_provider krb5int_hash_sha384; + + /* Modules must implement the following functions. */ + +-/* Set the parity bits to the correct values in keybits. */ +-void k5_des_fixup_key_parity(unsigned char *keybits); +- + /* Compute an HMAC using the provided hash function, key, and data, storing the + * result into output (caller-allocated). */ + krb5_error_code krb5int_hmac(const struct krb5_hash_provider *hash, +diff --git a/src/lib/crypto/krb/default_state.c b/src/lib/crypto/krb/default_state.c +index 0757c8b02c..f89dc79023 100644 +--- a/src/lib/crypto/krb/default_state.c ++++ b/src/lib/crypto/krb/default_state.c +@@ -32,16 +32,6 @@ + + #include "crypto_int.h" + +-krb5_error_code +-krb5int_des_init_state(const krb5_keyblock *key, krb5_keyusage usage, +- krb5_data *state_out) +-{ +- if (alloc_data(state_out, 8)) +- return ENOMEM; +- +- return 0; +-} +- + void + krb5int_default_free_state(krb5_data *state) + { +diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c +index 1542d40629..a0037912a7 100644 +--- a/src/lib/crypto/krb/enctype_util.c ++++ b/src/lib/crypto/krb/enctype_util.c +@@ -45,6 +45,9 @@ struct { + { ENCTYPE_DES_CBC_MD5, "des-cbc-md5" }, + { ENCTYPE_DES_CBC_RAW, "des-cbc-raw" }, + { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1" }, ++ { ENCTYPE_DES3_CBC_SHA, "des3-cbc-sha1" }, ++ { ENCTYPE_DES3_CBC_RAW, "des3-cbc-raw" }, ++ { ENCTYPE_DES3_CBC_SHA1, "des3-hmac-sha1" }, + { ENCTYPE_NULL, NULL } + }; + +diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c +index fc278783b9..7635393a41 100644 +--- a/src/lib/crypto/krb/etypes.c ++++ b/src/lib/crypto/krb/etypes.c +@@ -35,27 +35,6 @@ + + /* Deprecations come from RFC 6649 and RFC 8249. */ + const struct krb5_keytypes krb5int_enctypes_list[] = { +- { ENCTYPE_DES3_CBC_RAW, +- "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw", +- &krb5int_enc_des3, NULL, +- 16, +- krb5int_raw_crypto_length, krb5int_raw_encrypt, krb5int_raw_decrypt, +- krb5int_dk_string_to_key, k5_rand2key_des3, +- NULL, /*PRF*/ +- 0, +- ETYPE_WEAK | ETYPE_DEPRECATED, 112 }, +- +- { ENCTYPE_DES3_CBC_SHA1, +- "des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" }, +- "Triple DES cbc mode with HMAC/sha1", +- &krb5int_enc_des3, &krb5int_hash_sha1, +- 16, +- krb5int_dk_crypto_length, krb5int_dk_encrypt, krb5int_dk_decrypt, +- krb5int_dk_string_to_key, k5_rand2key_des3, +- krb5int_dk_prf, +- CKSUMTYPE_HMAC_SHA1_DES3, +- ETYPE_DEPRECATED, 112 }, +- + /* rc4-hmac uses a 128-bit key, but due to weaknesses in the RC4 cipher, we + * consider its strength degraded and assign it an SSF value of 64. */ + { ENCTYPE_ARCFOUR_HMAC, +diff --git a/src/lib/crypto/krb/prf_des.c b/src/lib/crypto/krb/prf_des.c +deleted file mode 100644 +index 7a2d719c5f..0000000000 +--- a/src/lib/crypto/krb/prf_des.c ++++ /dev/null +@@ -1,47 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/krb/prf_des.c - RFC 3961 DES-based PRF */ +-/* +- * Copyright (C) 2004, 2009 by the Massachusetts Institute of Technology. +- * All rights reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-#include "crypto_int.h" +- +-krb5_error_code +-krb5int_des_prf(const struct krb5_keytypes *ktp, krb5_key key, +- const krb5_data *in, krb5_data *out) +-{ +- const struct krb5_hash_provider *hash = &krb5int_hash_md5; +- krb5_crypto_iov iov; +- krb5_error_code ret; +- +- /* Compute a hash of the input, storing into the output buffer. */ +- iov.flags = KRB5_CRYPTO_TYPE_DATA; +- iov.data = *in; +- ret = hash->hash(&iov, 1, out); +- if (ret != 0) +- return ret; +- +- /* Encrypt the hash in place. */ +- iov.data = *out; +- return ktp->enc->encrypt(key, NULL, &iov, 1); +-} +diff --git a/src/lib/crypto/krb/random_to_key.c b/src/lib/crypto/krb/random_to_key.c +index 9394385aa0..863090beb2 100644 +--- a/src/lib/crypto/krb/random_to_key.c ++++ b/src/lib/crypto/krb/random_to_key.c +@@ -71,31 +71,3 @@ k5_rand2key_direct(const krb5_data *randombits, krb5_keyblock *keyblock) + memcpy(keyblock->contents, randombits->data, randombits->length); + return 0; + } +- +-static inline void +-eighth_byte(unsigned char *b) +-{ +- b[7] = (((b[0] & 1) << 1) | ((b[1] & 1) << 2) | ((b[2] & 1) << 3) | +- ((b[3] & 1) << 4) | ((b[4] & 1) << 5) | ((b[5] & 1) << 6) | +- ((b[6] & 1) << 7)); +-} +- +-krb5_error_code +-k5_rand2key_des3(const krb5_data *randombits, krb5_keyblock *keyblock) +-{ +- int i; +- +- if (randombits->length != 21) +- return KRB5_CRYPTO_INTERNAL; +- +- keyblock->magic = KV5M_KEYBLOCK; +- +- /* Take the seven bytes, move them around into the top 7 bits of the +- * 8 key bytes, then compute the parity bits. Do this three times. */ +- for (i = 0; i < 3; i++) { +- memcpy(&keyblock->contents[i * 8], &randombits->data[i * 7], 7); +- eighth_byte(&keyblock->contents[i * 8]); +- k5_des_fixup_key_parity(&keyblock->contents[i * 8]); +- } +- return 0; +-} +diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports +index 052f4d4b51..d8ffa63304 100644 +--- a/src/lib/crypto/libk5crypto.exports ++++ b/src/lib/crypto/libk5crypto.exports +@@ -86,7 +86,6 @@ krb5_k_verify_checksum + krb5_k_verify_checksum_iov + krb5int_aes_encrypt + krb5int_aes_decrypt +-krb5int_enc_des3 + krb5int_arcfour_gsscrypt + krb5int_camellia_encrypt + krb5int_cmac_checksum +diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in +index cf11f6847b..8e4cdb8bbf 100644 +--- a/src/lib/crypto/openssl/Makefile.in ++++ b/src/lib/crypto/openssl/Makefile.in +@@ -1,6 +1,6 @@ + mydir=lib$(S)crypto$(S)openssl + BUILDTOP=$(REL)..$(S)..$(S).. +-SUBDIRS=des enc_provider hash_provider ++SUBDIRS=enc_provider hash_provider + LOCALINCLUDES=-I$(srcdir)/../krb $(CRYPTO_IMPL_CFLAGS) + + STLIBOBJS=\ +@@ -24,7 +24,7 @@ SRCS=\ + $(srcdir)/pbkdf2.c \ + $(srcdir)/sha256.c + +-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ ++SUBDIROBJLISTS= md4/OBJS.ST \ + md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ + enc_provider/OBJS.ST \ + hash_provider/OBJS.ST \ +diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in +deleted file mode 100644 +index a6cece1dd1..0000000000 +--- a/src/lib/crypto/openssl/des/Makefile.in ++++ /dev/null +@@ -1,20 +0,0 @@ +-mydir=lib$(S)crypto$(S)openssl$(S)des +-BUILDTOP=$(REL)..$(S)..$(S)..$(S).. +-LOCALINCLUDES = -I$(srcdir)/../../krb $(CRYPTO_IMPL_CFLAGS) +- +-STLIBOBJS= des_keys.o +- +-OBJS= $(OUTPRE)des_keys.$(OBJEXT) +- +-SRCS= $(srcdir)/des_keys.c +- +-all-unix: all-libobjs +- +-includes: depend +- +-depend: $(SRCS) +- +-clean-unix:: clean-libobjs +- +-@libobj_frag@ +- +diff --git a/src/lib/crypto/openssl/des/deps b/src/lib/crypto/openssl/des/deps +deleted file mode 100644 +index 723c268082..0000000000 +--- a/src/lib/crypto/openssl/des/deps ++++ /dev/null +@@ -1,14 +0,0 @@ +-# +-# Generated makefile dependencies follow. +-# +-des_keys.so des_keys.po $(OUTPRE)des_keys.$(OBJEXT): \ +- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ +- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ +- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ +- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ +- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ +- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ +- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h des_keys.c +diff --git a/src/lib/crypto/openssl/des/des_keys.c b/src/lib/crypto/openssl/des/des_keys.c +deleted file mode 100644 +index 83f1cbf22a..0000000000 +--- a/src/lib/crypto/openssl/des/des_keys.c ++++ /dev/null +@@ -1,39 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/openssl/des/des_keys.c - Key functions used by Kerberos code */ +-/* +- * Copyright (C) 2011 by the Massachusetts Institute of Technology. +- * All rights reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-#include "crypto_int.h" +- +-#ifdef K5_OPENSSL_DES_KEY_PARITY +- +-#include +- +-void +-k5_des_fixup_key_parity(unsigned char *keybits) +-{ +- DES_set_odd_parity((DES_cblock *)keybits); +-} +- +-#endif +diff --git a/src/lib/crypto/openssl/enc_provider/Makefile.in b/src/lib/crypto/openssl/enc_provider/Makefile.in +index 26827cfed5..f0d37c1213 100644 +--- a/src/lib/crypto/openssl/enc_provider/Makefile.in ++++ b/src/lib/crypto/openssl/enc_provider/Makefile.in +@@ -3,19 +3,16 @@ BUILDTOP=$(REL)..$(S)..$(S)..$(S).. + LOCALINCLUDES = -I$(srcdir)/../../krb $(CRYPTO_IMPL_CFLAGS) + + STLIBOBJS= \ +- des3.o \ + rc4.o \ + aes.o \ + camellia.o + + OBJS= \ +- $(OUTPRE)des3.$(OBJEXT) \ + $(OUTPRE)aes.$(OBJEXT) \ + $(OUTPRE)camellia.$(OBJEXT) \ + $(OUTPRE)rc4.$(OBJEXT) + + SRCS= \ +- $(srcdir)/des3.c \ + $(srcdir)/aes.c \ + $(srcdir)/camellia.c \ + $(srcdir)/rc4.c +diff --git a/src/lib/crypto/openssl/enc_provider/deps b/src/lib/crypto/openssl/enc_provider/deps +index 1c87a526d0..a502990a0c 100644 +--- a/src/lib/crypto/openssl/enc_provider/deps ++++ b/src/lib/crypto/openssl/enc_provider/deps +@@ -1,17 +1,6 @@ + # + # Generated makefile dependencies follow. + # +-des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ +- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ +- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ +- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ +- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ +- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ +- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ +- des3.c + aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ +diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c +deleted file mode 100644 +index 90fcf9acb5..0000000000 +--- a/src/lib/crypto/openssl/enc_provider/des3.c ++++ /dev/null +@@ -1,188 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* lib/crypto/openssl/enc_provider/des3.c */ +-/* +- * Copyright (C) 2009 by the Massachusetts Institute of Technology. +- * All rights reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +-/* +- * Copyright (C) 1998 by the FundsXpress, INC. +- * +- * All rights reserved. +- * +- * Export of this software from the United States of America may require +- * a specific license from the United States Government. It is the +- * responsibility of any person or organization contemplating export to +- * obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of FundsXpress. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. FundsXpress makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- * +- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR +- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED +- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. +- */ +- +-#include "crypto_int.h" +- +-#ifdef K5_OPENSSL_DES +- +-#include +- +-#define DES3_BLOCK_SIZE 8 +-#define DES3_KEY_SIZE 24 +-#define DES3_KEY_BYTES 21 +- +-static krb5_error_code +-validate(krb5_key key, const krb5_data *ivec, const krb5_crypto_iov *data, +- size_t num_data, krb5_boolean *empty) +-{ +- size_t input_length = iov_total_length(data, num_data, FALSE); +- +- if (key->keyblock.length != DES3_KEY_SIZE) +- return(KRB5_BAD_KEYSIZE); +- if ((input_length%DES3_BLOCK_SIZE) != 0) +- return(KRB5_BAD_MSIZE); +- if (ivec && (ivec->length != 8)) +- return(KRB5_BAD_MSIZE); +- +- *empty = (input_length == 0); +- return 0; +-} +- +-static krb5_error_code +-k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, +- size_t num_data) +-{ +- int ret, olen = DES3_BLOCK_SIZE; +- unsigned char iblock[DES3_BLOCK_SIZE], oblock[DES3_BLOCK_SIZE]; +- struct iov_cursor cursor; +- EVP_CIPHER_CTX *ctx; +- krb5_boolean empty; +- +- ret = validate(key, ivec, data, num_data, &empty); +- if (ret != 0 || empty) +- return ret; +- +- ctx = EVP_CIPHER_CTX_new(); +- if (ctx == NULL) +- return ENOMEM; +- +- ret = EVP_EncryptInit_ex(ctx, EVP_des_ede3_cbc(), NULL, +- key->keyblock.contents, +- (ivec) ? (unsigned char*)ivec->data : NULL); +- if (!ret) { +- EVP_CIPHER_CTX_free(ctx); +- return KRB5_CRYPTO_INTERNAL; +- } +- +- EVP_CIPHER_CTX_set_padding(ctx,0); +- +- k5_iov_cursor_init(&cursor, data, num_data, DES3_BLOCK_SIZE, FALSE); +- while (k5_iov_cursor_get(&cursor, iblock)) { +- ret = EVP_EncryptUpdate(ctx, oblock, &olen, iblock, DES3_BLOCK_SIZE); +- if (!ret) +- break; +- k5_iov_cursor_put(&cursor, oblock); +- } +- +- if (ivec != NULL) +- memcpy(ivec->data, oblock, DES3_BLOCK_SIZE); +- +- EVP_CIPHER_CTX_free(ctx); +- +- zap(iblock, sizeof(iblock)); +- zap(oblock, sizeof(oblock)); +- +- if (ret != 1) +- return KRB5_CRYPTO_INTERNAL; +- return 0; +-} +- +-static krb5_error_code +-k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, +- size_t num_data) +-{ +- int ret, olen = DES3_BLOCK_SIZE; +- unsigned char iblock[DES3_BLOCK_SIZE], oblock[DES3_BLOCK_SIZE]; +- struct iov_cursor cursor; +- EVP_CIPHER_CTX *ctx; +- krb5_boolean empty; +- +- ret = validate(key, ivec, data, num_data, &empty); +- if (ret != 0 || empty) +- return ret; +- +- ctx = EVP_CIPHER_CTX_new(); +- if (ctx == NULL) +- return ENOMEM; +- +- ret = EVP_DecryptInit_ex(ctx, EVP_des_ede3_cbc(), NULL, +- key->keyblock.contents, +- (ivec) ? (unsigned char*)ivec->data : NULL); +- if (!ret) { +- EVP_CIPHER_CTX_free(ctx); +- return KRB5_CRYPTO_INTERNAL; +- } +- +- EVP_CIPHER_CTX_set_padding(ctx,0); +- +- k5_iov_cursor_init(&cursor, data, num_data, DES3_BLOCK_SIZE, FALSE); +- while (k5_iov_cursor_get(&cursor, iblock)) { +- ret = EVP_DecryptUpdate(ctx, oblock, &olen, +- (unsigned char *)iblock, DES3_BLOCK_SIZE); +- if (!ret) +- break; +- k5_iov_cursor_put(&cursor, oblock); +- } +- +- if (ivec != NULL) +- memcpy(ivec->data, iblock, DES3_BLOCK_SIZE); +- +- EVP_CIPHER_CTX_free(ctx); +- +- zap(iblock, sizeof(iblock)); +- zap(oblock, sizeof(oblock)); +- +- if (ret != 1) +- return KRB5_CRYPTO_INTERNAL; +- return 0; +-} +- +-const struct krb5_enc_provider krb5int_enc_des3 = { +- DES3_BLOCK_SIZE, +- DES3_KEY_BYTES, DES3_KEY_SIZE, +- k5_des3_encrypt, +- k5_des3_decrypt, +- NULL, +- krb5int_des_init_state, +- krb5int_default_free_state +-}; +- +-#endif /* K5_OPENSSL_DES */ +diff --git a/src/lib/crypto/openssl/kdf.c b/src/lib/crypto/openssl/kdf.c +index 41e845eae0..5a43c3d9eb 100644 +--- a/src/lib/crypto/openssl/kdf.c ++++ b/src/lib/crypto/openssl/kdf.c +@@ -60,8 +60,6 @@ enc_name(const struct krb5_enc_provider *enc) + return "AES-128-CBC"; + if (enc == &krb5int_enc_aes256) + return "AES-256-CBC"; +- if (enc == &krb5int_enc_des3) +- return "DES-EDE3-CBC"; + return NULL; + } + +diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c +index b35e11bfb6..d7c2ad321e 100644 +--- a/src/lib/gssapi/krb5/accept_sec_context.c ++++ b/src/lib/gssapi/krb5/accept_sec_context.c +@@ -1026,7 +1026,6 @@ kg_accept_krb5(minor_status, context_handle, + } + + switch (negotiated_etype) { +- case ENCTYPE_DES3_CBC_SHA1: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP: + /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index 7364607198..5aeb69aebc 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -125,14 +125,14 @@ enum sgn_alg { + /* SGN_ALG_DES_MAC = 0x0002, */ + /* SGN_ALG_3 = 0x0003, /\* not published *\/ */ + SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */ +- SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004 ++ /* SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004 */ + }; + enum seal_alg { + SEAL_ALG_NONE = 0xffff, + /* SEAL_ALG_DES = 0x0000, */ + /* SEAL_ALG_1 = 0x0001, /\* not published *\/ */ + SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */ +- SEAL_ALG_DES3KD = 0x0002 ++ /* SEAL_ALG_DES3KD = 0x0002 */ + }; + + /* for 3DES */ +@@ -153,7 +153,7 @@ enum qop { + GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004, + GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff, + /* GSS_KRB5_CONF_C_QOP_DES = 0x0100, */ +- GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200, ++ /* GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200, */ + GSS_KRB5_CONF_C_QOP_MASK = 0xff00 + }; + +diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c +index 99275be53a..0e5d10b115 100644 +--- a/src/lib/gssapi/krb5/k5seal.c ++++ b/src/lib/gssapi/krb5/k5seal.c +@@ -142,19 +142,12 @@ make_seal_token_v1 (krb5_context context, + + /* pad the plaintext, encrypt if needed, and stick it in the token */ + +- /* initialize the the checksum */ +- switch (signalg) { +- case SGN_ALG_HMAC_SHA1_DES3_KD: +- md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3; +- break; +- case SGN_ALG_HMAC_MD5: +- md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; +- if (toktype != KG_TOK_SEAL_MSG) +- sign_usage = 15; +- break; +- default: +- abort (); +- } ++ if (signalg != SGN_ALG_HMAC_MD5) ++ abort(); ++ ++ md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; ++ if (toktype != KG_TOK_SEAL_MSG) ++ sign_usage = 15; + + code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen); + if (code) { +@@ -203,20 +196,8 @@ make_seal_token_v1 (krb5_context context, + gssalloc_free(t); + return(code); + } +- switch(signalg) { +- case SGN_ALG_HMAC_SHA1_DES3_KD: +- /* +- * Using key derivation, the call to krb5_c_make_checksum +- * already dealt with encrypting. +- */ +- if (md5cksum.length != cksum_size) +- abort (); +- memcpy(checksum, md5cksum.contents, md5cksum.length); +- break; +- case SGN_ALG_HMAC_MD5: +- memcpy(checksum, md5cksum.contents, cksum_size); +- break; +- } ++ ++ memcpy(checksum, md5cksum.contents, cksum_size); + + krb5_free_checksum_contents(context, &md5cksum); + +diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c +index 7bf7609a48..d5e12cb436 100644 +--- a/src/lib/gssapi/krb5/k5sealiov.c ++++ b/src/lib/gssapi/krb5/k5sealiov.c +@@ -147,18 +147,11 @@ make_seal_token_v1_iov(krb5_context context, + /* pad the plaintext, encrypt if needed, and stick it in the token */ + + /* initialize the checksum */ +- switch (ctx->signalg) { +- case SGN_ALG_HMAC_SHA1_DES3_KD: +- md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3; +- break; +- case SGN_ALG_HMAC_MD5: +- md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; +- if (toktype != KG_TOK_WRAP_MSG) +- sign_usage = 15; +- break; +- default: +- abort (); +- } ++ if (ctx->signalg != SGN_ALG_HMAC_MD5) ++ abort(); ++ md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; ++ if (toktype != KG_TOK_WRAP_MSG) ++ sign_usage = 15; + + code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen); + if (code != 0) +@@ -182,15 +175,7 @@ make_seal_token_v1_iov(krb5_context context, + if (code != 0) + goto cleanup; + +- switch (ctx->signalg) { +- case SGN_ALG_HMAC_SHA1_DES3_KD: +- assert(md5cksum.length == ctx->cksum_size); +- memcpy(checksum, md5cksum.contents, md5cksum.length); +- break; +- case SGN_ALG_HMAC_MD5: +- memcpy(checksum, md5cksum.contents, ctx->cksum_size); +- break; +- } ++ memcpy(checksum, md5cksum.contents, ctx->cksum_size); + + /* create the seq_num */ + code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF, +diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c +index 9b183bc337..f0cc4a6809 100644 +--- a/src/lib/gssapi/krb5/k5unseal.c ++++ b/src/lib/gssapi/krb5/k5unseal.c +@@ -131,28 +131,21 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, + but few enough that we can try them all. */ + + if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) || +- (ctx->sealalg == SEAL_ALG_DES3KD && +- signalg != SGN_ALG_HMAC_SHA1_DES3_KD)|| + (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 && + signalg != SGN_ALG_HMAC_MD5)) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + +- switch (signalg) { +- case SGN_ALG_HMAC_MD5: +- cksum_len = 8; +- if (toktype != KG_TOK_SEAL_MSG) +- sign_usage = 15; +- break; +- case SGN_ALG_HMAC_SHA1_DES3_KD: +- cksum_len = 20; +- break; +- default: ++ if (signalg != SGN_ALG_HMAC_MD5) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + ++ cksum_len = 8; ++ if (toktype != KG_TOK_SEAL_MSG) ++ sign_usage = 15; ++ + if ((size_t)bodysize < 14 + cksum_len) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; +@@ -252,64 +245,53 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, + /* compute the checksum of the message */ + + /* initialize the the cksum */ +- switch (signalg) { +- case SGN_ALG_HMAC_MD5: +- md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; +- break; +- case SGN_ALG_HMAC_SHA1_DES3_KD: +- md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3; +- break; +- default: +- abort (); +- } ++ if (signalg != SGN_ALG_HMAC_MD5) ++ abort(); ++ md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; + + code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen); + if (code) + return(code); + md5cksum.length = sumlen; + +- switch (signalg) { +- default: ++ if (signalg != SGN_ALG_HMAC_MD5) { + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); ++ } + +- case SGN_ALG_HMAC_SHA1_DES3_KD: +- case SGN_ALG_HMAC_MD5: +- /* compute the checksum of the message */ +- +- /* 8 = bytes of token body to be checksummed according to spec */ ++ /* compute the checksum of the message */ + +- if (! (data_ptr = xmalloc(8 + plainlen))) { +- if (sealalg != 0xffff) +- xfree(plain); +- if (toktype == KG_TOK_SEAL_MSG) +- gssalloc_free(token.value); +- *minor_status = ENOMEM; +- return(GSS_S_FAILURE); +- } ++ /* 8 = bytes of token body to be checksummed according to spec */ + +- (void) memcpy(data_ptr, ptr-2, 8); ++ if (! (data_ptr = xmalloc(8 + plainlen))) { ++ if (sealalg != 0xffff) ++ xfree(plain); ++ if (toktype == KG_TOK_SEAL_MSG) ++ gssalloc_free(token.value); ++ *minor_status = ENOMEM; ++ return(GSS_S_FAILURE); ++ } + +- (void) memcpy(data_ptr+8, plain, plainlen); ++ (void) memcpy(data_ptr, ptr-2, 8); + +- plaind.length = 8 + plainlen; +- plaind.data = data_ptr; +- code = krb5_k_make_checksum(context, md5cksum.checksum_type, +- ctx->seq, sign_usage, +- &plaind, &md5cksum); +- xfree(data_ptr); ++ (void) memcpy(data_ptr+8, plain, plainlen); + +- if (code) { +- if (toktype == KG_TOK_SEAL_MSG) +- gssalloc_free(token.value); +- *minor_status = code; +- return(GSS_S_FAILURE); +- } ++ plaind.length = 8 + plainlen; ++ plaind.data = data_ptr; ++ code = krb5_k_make_checksum(context, md5cksum.checksum_type, ++ ctx->seq, sign_usage, ++ &plaind, &md5cksum); ++ xfree(data_ptr); + +- code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len); +- break; ++ if (code) { ++ if (toktype == KG_TOK_SEAL_MSG) ++ gssalloc_free(token.value); ++ *minor_status = code; ++ return(GSS_S_FAILURE); + } + ++ code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len); ++ + krb5_free_checksum_contents(context, &md5cksum); + if (sealalg != 0xffff) + xfree(plain); +diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c +index 21b501731e..6a6585d9af 100644 +--- a/src/lib/gssapi/krb5/k5unsealiov.c ++++ b/src/lib/gssapi/krb5/k5unsealiov.c +@@ -103,28 +103,21 @@ kg_unseal_v1_iov(krb5_context context, + } + + if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) || +- (ctx->sealalg == SEAL_ALG_DES3KD && +- signalg != SGN_ALG_HMAC_SHA1_DES3_KD)|| + (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 && + signalg != SGN_ALG_HMAC_MD5)) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + +- switch (signalg) { +- case SGN_ALG_HMAC_MD5: +- cksum_len = 8; +- if (toktype != KG_TOK_WRAP_MSG) +- sign_usage = 15; +- break; +- case SGN_ALG_HMAC_SHA1_DES3_KD: +- cksum_len = 20; +- break; +- default: ++ if (signalg != SGN_ALG_HMAC_MD5) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + ++ cksum_len = 8; ++ if (toktype != KG_TOK_WRAP_MSG) ++ sign_usage = 15; ++ + /* get the token parameters */ + code = kg_get_seq_num(context, ctx->seq, ptr + 14, ptr + 6, &direction, + &seqnum); +@@ -182,16 +175,10 @@ kg_unseal_v1_iov(krb5_context context, + + /* initialize the checksum */ + +- switch (signalg) { +- case SGN_ALG_HMAC_MD5: +- md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; +- break; +- case SGN_ALG_HMAC_SHA1_DES3_KD: +- md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3; +- break; +- default: ++ if (signalg != SGN_ALG_HMAC_MD5) + abort(); +- } ++ ++ md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR; + + code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen); + if (code != 0) { +@@ -210,18 +197,13 @@ kg_unseal_v1_iov(krb5_context context, + goto cleanup; + } + +- switch (signalg) { +- case SGN_ALG_HMAC_SHA1_DES3_KD: +- case SGN_ALG_HMAC_MD5: +- code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len); +- break; +- default: ++ if (signalg != SGN_ALG_HMAC_MD5) { + code = 0; + retval = GSS_S_DEFECTIVE_TOKEN; + goto cleanup; +- break; + } + ++ code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len); + if (code != 0) { + code = 0; + retval = GSS_S_BAD_SIG; +diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c +index 84f1949887..32150f5e34 100644 +--- a/src/lib/gssapi/krb5/util_crypt.c ++++ b/src/lib/gssapi/krb5/util_crypt.c +@@ -97,17 +97,6 @@ kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey, + return code; + + switch (subkey->keyblock.enctype) { +- case ENCTYPE_DES3_CBC_SHA1: +- code = kg_copy_keys(context, ctx, subkey); +- if (code != 0) +- return code; +- +- ctx->enc->keyblock.enctype = ENCTYPE_DES3_CBC_RAW; +- ctx->seq->keyblock.enctype = ENCTYPE_DES3_CBC_RAW; +- ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; +- ctx->cksum_size = 20; +- ctx->sealalg = SEAL_ALG_DES3KD; +- break; + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP: + /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" enctype, +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index 87b486c53f..2b5abcd817 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -59,7 +59,6 @@ + static krb5_enctype default_enctype_list[] = { + ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, +- ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_ARCFOUR_HMAC, + ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC, + 0 +@@ -450,8 +449,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, + /* Set all enctypes in the default list. */ + for (i = 0; default_list[i]; i++) + mod_list(default_list[i], sel, weak, &list); +- } else if (strcasecmp(token, "des3") == 0) { +- mod_list(ENCTYPE_DES3_CBC_SHA1, sel, weak, &list); + } else if (strcasecmp(token, "aes") == 0) { + mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, &list); + mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list); +diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c +index 44d113e7c5..9662785783 100644 +--- a/src/lib/krb5/krb/s4u_creds.c ++++ b/src/lib/krb5/krb/s4u_creds.c +@@ -288,8 +288,6 @@ verify_s4u2self_reply(krb5_context context, + assert(req_s4u_user != NULL); + + switch (subkey->enctype) { +- case ENCTYPE_DES3_CBC_SHA1: +- case ENCTYPE_DES3_CBC_RAW: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP : + not_newer = TRUE; +diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c +index 90c9f626c6..935aca12f5 100644 +--- a/src/lib/krb5/krb/t_etypes.c ++++ b/src/lib/krb5/krb/t_etypes.c +@@ -50,17 +50,6 @@ static struct { + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, + 0, 0 + }, +- /* Family followed by enctype */ +- { "aes des3-cbc-sha1-kd", +- { 0 }, +- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, +- ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, +- ENCTYPE_DES3_CBC_SHA1, 0 }, +- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, +- ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, +- ENCTYPE_DES3_CBC_SHA1, 0 }, +- 0, 0 +- }, + /* Family with enctype removed */ + { "camellia -camellia256-cts-cmac", + { 0 }, +@@ -69,46 +58,15 @@ static struct { + }, + /* Default set with family added and enctype removed */ + { "DEFAULT +aes -arcfour-hmac-md5", +- { ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES3_CBC_SHA1, 0 }, +- { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96, ++ { ENCTYPE_ARCFOUR_HMAC, 0 }, ++ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192, + ENCTYPE_AES128_CTS_HMAC_SHA256_128, 0 }, +- { ENCTYPE_DES3_CBC_SHA1, +- ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, ++ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA384_192, ENCTYPE_AES128_CTS_HMAC_SHA256_128, + 0 }, + 0, 0 + }, +- /* Default set with families removed and enctypes added (one redundant) */ +- { "DEFAULT -des3 rc4-hmac rc4-hmac-exp", +- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, +- ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, 0 }, +- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, +- ENCTYPE_ARCFOUR_HMAC, 0 }, +- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, +- ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC_EXP, 0 }, +- 0, 0 +- }, +- /* Default set with family moved to front */ +- { "des3 +DEFAULT", +- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, +- ENCTYPE_DES3_CBC_SHA1, 0 }, +- { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96, +- ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 }, +- { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_AES256_CTS_HMAC_SHA1_96, +- ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 }, +- 0, 0 +- }, +- /* Two families with default set removed (exotic case), enctype added */ +- { "aes +rc4 -DEFaulT des3-hmac-sha1", +- { ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_DES3_CBC_SHA1, +- ENCTYPE_ARCFOUR_HMAC, 0 }, +- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192, +- ENCTYPE_AES128_CTS_HMAC_SHA256_128, ENCTYPE_DES3_CBC_SHA1, 0 }, +- { ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA384_192, +- ENCTYPE_AES128_CTS_HMAC_SHA256_128, ENCTYPE_DES3_CBC_SHA1, 0 }, +- 0, 0 +- }, + /* Test krb5_set_default_in_tkt_ktypes */ + { NULL, + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 }, +diff --git a/src/lib/krb5/os/t_trace.c b/src/lib/krb5/os/t_trace.c +index 10ba8d0ac7..24064ffcfd 100644 +--- a/src/lib/krb5/os/t_trace.c ++++ b/src/lib/krb5/os/t_trace.c +@@ -65,8 +65,8 @@ main (int argc, char *argv[]) + krb5_principal princ = &principal_data; + krb5_pa_data padata, padata2, **padatap; + krb5_enctype enctypes[4] = { +- ENCTYPE_DES3_CBC_SHA, ENCTYPE_ARCFOUR_HMAC_EXP, ENCTYPE_UNKNOWN, +- ENCTYPE_NULL}; ++ ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_ARCFOUR_HMAC_EXP, ++ ENCTYPE_UNKNOWN, ENCTYPE_NULL}; + krb5_ccache ccache; + krb5_keytab keytab; + krb5_creds creds; +diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref +index 044a66999e..98fb14f3f7 100644 +--- a/src/lib/krb5/os/t_trace.ref ++++ b/src/lib/krb5/os/t_trace.ref +@@ -41,7 +41,7 @@ int, krb5_principal type: ? + krb5_pa_data **, display list of padata type numbers: PA-PW-SALT (3), 0 + krb5_pa_data **, display list of padata type numbers: (empty) + krb5_enctype, display shortest name of enctype: aes128-cts +-krb5_enctype *, display list of enctypes: 5, rc4-hmac-exp, 511 ++krb5_enctype *, display list of enctypes: aes128-cts, rc4-hmac-exp, 511 + krb5_enctype *, display list of enctypes: (empty) + krb5_ccache, display type:name: FILE:/path/to/ccache + krb5_keytab, display name: FILE:/etc/krb5.keytab +diff --git a/src/plugins/preauth/pkinit/pkcs11.h b/src/plugins/preauth/pkinit/pkcs11.h +index e3d2846315..586661bb7e 100644 +--- a/src/plugins/preauth/pkinit/pkcs11.h ++++ b/src/plugins/preauth/pkinit/pkcs11.h +@@ -339,9 +339,9 @@ typedef unsigned long ck_key_type_t; + #define CKK_GENERIC_SECRET (0x10) + #define CKK_RC2 (0x11) + #define CKK_RC4 (0x12) +-#define CKK_DES (0x13) +-#define CKK_DES2 (0x14) +-#define CKK_DES3 (0x15) ++/* #define CKK_DES (0x13) */ ++/* #define CKK_DES2 (0x14) */ ++/* #define CKK_DES3 (0x15) */ + #define CKK_CAST (0x16) + #define CKK_CAST3 (0x17) + #define CKK_CAST128 (0x18) +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index e22798f668..9fa315d7a0 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -370,11 +370,11 @@ krb5_error_code server_process_dh + * krb5_algorithm_identifier + */ + krb5_error_code create_krb5_supportedCMSTypes +- (krb5_context context, /* IN */ +- pkinit_plg_crypto_context plg_cryptoctx, /* IN */ +- pkinit_req_crypto_context req_cryptoctx, /* IN */ +- pkinit_identity_crypto_context id_cryptoctx, /* IN */ +- krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */ ++ (krb5_context context, /* IN */ ++ pkinit_plg_crypto_context plg_cryptoctx, /* IN */ ++ pkinit_req_crypto_context req_cryptoctx, /* IN */ ++ pkinit_identity_crypto_context id_cryptoctx, /* IN */ ++ krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */ + + /* + * this functions takes in crypto specific representation of +diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_test.c b/src/plugins/preauth/pkinit/pkinit_kdf_test.c +index 7f38e84910..99c93ac128 100644 +--- a/src/plugins/preauth/pkinit/pkinit_kdf_test.c ++++ b/src/plugins/preauth/pkinit/pkinit_kdf_test.c +@@ -49,7 +49,6 @@ char eighteen_bs[9]; + char party_u_name[] = "lha@SU.SE"; + char party_v_name[] = "krbtgt/SU.SE@SU.SE"; + int enctype_aes = ENCTYPE_AES256_CTS_HMAC_SHA1_96; +-int enctype_des3 = ENCTYPE_DES3_CBC_SHA1; + const krb5_data lha_data = DATA_FROM_STRING("lha"); + + krb5_octet key1_hex[] = +@@ -187,35 +186,6 @@ main(int argc, char **argv) + goto cleanup; + } + +- /* TEST 3: SHA-512/DES3 */ +- /* set up algorithm id */ +- alg_id.algorithm = sha512_id; +- +- enctype = enctype_des3; +- +- /* call pkinit_alg_agility_kdf() with test vector values*/ +- if (0 != (retval = pkinit_alg_agility_kdf(context, &secret, +- &alg_id.algorithm, +- u_principal, v_principal, +- enctype, &as_req, &pk_as_rep, +- &key_block))) { +- printf("ERROR in pkinit_kdf_test: kdf call failed, retval = %d\n", +- retval); +- goto cleanup; +- } +- +- /* compare key to expected key value */ +- +- if ((key_block.length == sizeof(key3_hex)) && +- (0 == memcmp(key_block.contents, key3_hex, key_block.length))) { +- printf("SUCCESS: TEST 3 (SHA-512/DES3), Correct key value generated.\n"); +- retval = 0; +- } else { +- printf("FAILURE: TEST 2 (SHA-512/DES3), Incorrect key value generated!\n"); +- retval = 1; +- goto cleanup; +- } +- + cleanup: + /* release all allocated resources, whether good or bad return */ + free(secret.data); +diff --git a/src/plugins/preauth/spake/t_vectors.c b/src/plugins/preauth/spake/t_vectors.c +index 2279202d3a..96b0307d78 100644 +--- a/src/plugins/preauth/spake/t_vectors.c ++++ b/src/plugins/preauth/spake/t_vectors.c +@@ -56,31 +56,6 @@ struct test { + const char *K2; + const char *K3; + } tests[] = { +- { ENCTYPE_DES3_CBC_SHA1, SPAKE_GROUP_EDWARDS25519, +- /* initial key, w, x, y, T, S, K */ +- "850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E", +- "686D84730CB8679AE95416C6567C6A63F2C9CEF124F7A3371AE81E11CAD42A37", +- "201012D07BFD48DDFA33C4AAC4FB1E229FB0D043CFE65EBFB14399091C71A723", +- "500B294797B8B042ACA1BEDC0F5931A4F52C537B3608B2D05CC8A2372F439F25", +- "18F511E750C97B592ACD30DB7D9E5FCA660389102E6BF610C1BFBED4616C8362", +- "5D10705E0D1E43D5DBF30240CCFBDE4A0230C70D4C79147AB0B317EDAD2F8AE7", +- "25BDE0D875F0FEB5755F45BA5E857889D916ECF7476F116AA31DC3E037EC4292", +- /* support, challenge, thash, body */ +- "A0093007A0053003020101", +- "A1363034A003020101A122042018F511E750C97B592ACD30DB7D9E5FCA660389" +- "102E6BF610C1BFBED4616C8362A20930073005A003020101", +- "EAAA08807D0616026FF51C849EFBF35BA0CE3C5300E7D486DA46351B13D4605B", +- "3075A00703050000000000A1143012A003020101A10B30091B07726165627572" +- "6EA2101B0E415448454E412E4D49542E454455A3233021A003020102A11A3018" +- "1B066B72627467741B0E415448454E412E4D49542E454455A511180F31393730" +- "303130313030303030305AA703020100A8053003020110", +- /* K'[0], K'[1], K'[2], K'[3] */ +- "BAF12FAE7CD958CBF1A29BFBC71F89CE49E03E295D89DAFD", +- "64F73DD9C41908206BCEC1F719026B574F9D13463D7A2520", +- "0454520B086B152C455829E6BAEFF78A61DFE9E3D04A895D", +- "4A92260B25E3EF94C125D5C24C3E5BCED5B37976E67F25C4", +- }, +- + { ENCTYPE_ARCFOUR_HMAC, SPAKE_GROUP_EDWARDS25519, + /* initial key, w, x, y, T, S, K */ + "8846F7EAEE8FB117AD06BDD830B7586C", +diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py +index 7494d7fcdb..2f95d89967 100755 +--- a/src/tests/gssapi/t_enctypes.py ++++ b/src/tests/gssapi/t_enctypes.py +@@ -1,24 +1,17 @@ + from k5test import * + +-# Define some convenience abbreviations for enctypes we will see in +-# test program output. For background, aes256 and aes128 are "CFX +-# enctypes", meaning that they imply support for RFC 4121, while des3 +-# and rc4 are not. DES3 keys will appear as 'des3-cbc-raw' in +-# t_enctypes output because that's how GSSAPI does raw triple-DES +-# encryption without the RFC3961 framing. ++# Define some convenience abbreviations for enctypes we will see in test ++# program output. For background, aes256 and aes128 are "CFX enctypes", ++# meaning that they imply support for RFC 4121, while rc4 does not. + aes256 = 'aes256-cts-hmac-sha1-96' + aes128 = 'aes128-cts-hmac-sha1-96' +-des3 = 'des3-cbc-sha1' +-d_des3 = 'DEPRECATED:des3-cbc-sha1' +-des3raw = 'des3-cbc-raw' +-d_des3raw = 'DEPRECATED:des3-cbc-raw' + rc4 = 'arcfour-hmac' + d_rc4 = 'DEPRECATED:arcfour-hmac' + + # These tests make assumptions about the default enctype lists, so set + # them explicitly rather than relying on the library defaults. +-supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal' +-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'}, ++supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal' ++conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'}, + 'realms': {'$realm': {'supported_enctypes': supp}}} + realm = K5Realm(krb5_conf=conf) + shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) +@@ -87,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts', + test_err('acc aes128', None, 'aes128-cts', + 'Encryption type aes256-cts-hmac-sha1-96 not permitted') + +-# If the initiator constrains the permitted session enctypes to des3, +-# no acceptor subkey will be generated because we can't upgrade to a +-# CFX enctype. +-test('init des3', 'des3', None, +- tktenc=aes256, tktsession=d_des3, +- proto='rfc1964', isubkey=des3raw, asubkey=None) +- + # Force the ticket session key to be rc4, so we can test some subkey + # upgrade cases. The ticket encryption key remains aes256. + realm.run([kadminl, 'setstr', realm.host_princ, 'session_enctypes', 'rc4']) + + # With no arguments, the initiator should send an upgrade list of +-# [aes256 aes128 des3] and the acceptor should upgrade to an aes256 ++# [aes256 aes128] and the acceptor should upgrade to an aes256 + # subkey. + test('upgrade noargs', None, None, + tktenc=aes256, tktsession=d_rc4, +@@ -115,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None, + tktenc=aes256, tktsession=d_rc4, + proto='cfx', isubkey=rc4, asubkey=aes128) + +-# If the initiator permits rc4 but prefers des3, it will send an +-# upgrade list of [des3], but the acceptor won't generate a subkey +-# because des3 isn't a CFX enctype. +-test('upgrade init des3+rc4', 'des3 rc4', None, +- tktenc=aes256, tktsession=d_rc4, +- proto='rfc1964', isubkey=rc4, asubkey=None) +- + # If the acceptor permits only aes128, subkey negotiation will fail + # because the ticket session key and initiator subkey are + # non-permitted. (This is unfortunate if the acceptor's restriction +diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c +index 882e163634..8192935099 100644 +--- a/src/tests/gssapi/t_invalid.c ++++ b/src/tests/gssapi/t_invalid.c +@@ -94,18 +94,6 @@ struct test { + size_t toklen; + const char *token; + } tests[] = { +- { +- ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES3_CBC_RAW, +- SEAL_ALG_DES3KD, SGN_ALG_HMAC_SHA1_DES3_KD, 20, +- 24, +- "\x4F\xEA\x19\x19\x5E\x0E\x10\xDF\x3D\x29\xB5\x13\x8F\x01\xC7\xA7" +- "\x92\x3D\x38\xF7\x26\x73\x0D\x6D", +- 65, +- "\x60\x3F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x04" +- "\x00\x02\x00\xFF\xFF\xEB\xF3\x9A\x89\x24\x57\xB8\x63\x95\x25\xE8" +- "\x6E\x8E\x79\xE6\x2E\xCA\xD3\xFF\x57\x9F\x8C\xAB\xEF\xDD\x28\x10" +- "\x2F\x93\x21\x2E\xF2\x52\xB6\x6F\xA8\xBB\x8A\x6D\xAA\x6F\xB7\xF4\xD4" +- }, + { + ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC, + SEAL_ALG_MICROSOFT_RC4, SGN_ALG_HMAC_MD5, 8, +diff --git a/src/tests/gssapi/t_pcontok.c b/src/tests/gssapi/t_pcontok.c +index 7368f752f0..bf22bd3da1 100644 +--- a/src/tests/gssapi/t_pcontok.c ++++ b/src/tests/gssapi/t_pcontok.c +@@ -43,7 +43,6 @@ + #include "k5-int.h" + #include "common.h" + +-#define SGN_ALG_HMAC_SHA1_DES3_KD 0x04 + #define SGN_ALG_HMAC_MD5 0x11 + + /* +@@ -77,17 +76,12 @@ make_delete_token(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *out) + ret = krb5_k_create_key(context, &seqkb, &seq); + check_k5err(context, "krb5_k_create_key", ret); + +- if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD) { +- cktype = CKSUMTYPE_HMAC_SHA1_DES3; +- cksize = 20; +- ckusage = 23; +- } else if (signalg == SGN_ALG_HMAC_MD5) { +- cktype = CKSUMTYPE_HMAC_MD5_ARCFOUR; +- cksize = 8; +- ckusage = 15; +- } else { ++ if (signalg != SGN_ALG_HMAC_MD5) + abort(); +- } ++ ++ cktype = CKSUMTYPE_HMAC_MD5_ARCFOUR; ++ cksize = 8; ++ ckusage = 15; + + tlen = 20 + mech_krb5.length + cksize; + token = malloc(tlen); +diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c +index f71774cdc9..d1857c433f 100644 +--- a/src/tests/gssapi/t_prf.c ++++ b/src/tests/gssapi/t_prf.c +@@ -41,13 +41,6 @@ static struct { + const char *key2; + const char *out2; + } tests[] = { +- { ENCTYPE_DES3_CBC_SHA1, +- "70378A19CD64134580C27C0115D6B34A1CF2FEECEF9886A2", +- "9F8D127C520BB826BFF3E0FE5EF352389C17E0C073D9" +- "AC4A333D644D21BA3EF24F4A886D143F85AC9F6377FB", +- "3452A167DF1094BA1089E0A20E9E51ABEF1525922558B69E", +- "6BF24FABC858F8DD9752E4FCD331BB831F238B5BE190" +- "4EEA42E38F7A60C588F075C5C96A67E7F8B7BD0AECF4" }, + { ENCTYPE_ARCFOUR_HMAC, + "3BB3AE288C12B3B9D06B208A4151B3B6", + "9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28" +diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py +index bde1c36844..8fcd30db51 100644 +--- a/src/tests/t_authdata.py ++++ b/src/tests/t_authdata.py +@@ -179,7 +179,7 @@ realm.run([kvno, 'restricted']) + # preferred krbtgt enctype changes. + mark('#8139 regression test') + realm.kinit(realm.user_princ, password('user'), ['-f']) +-realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'des3-cbc-sha1', ++realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-sha2', + realm.krbtgt_princ]) + realm.run(['./forward']) + realm.run([kvno, realm.host_princ]) +diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py +index c982508d8b..a6f538b66d 100644 +--- a/src/tests/t_etype_info.py ++++ b/src/tests/t_etype_info.py +@@ -1,8 +1,7 @@ + from k5test import * + +-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' +-conf = {'libdefaults': {'allow_weak_crypto': 'true'}, +- 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} ++supported_enctypes = 'aes128-cts rc4-hmac' ++conf = {'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} + realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) + + realm.run([kadminl, 'addprinc', '-pw', 'pw', '+requires_preauth', +@@ -26,9 +25,9 @@ def test_etinfo(princ, enctypes, expected_lines): + # With no newer enctypes in the request, PA-ETYPE-INFO2, + # PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one + # key for the most preferred matching enctype. +-test_etinfo('user', 'rc4-hmac-exp des3 rc4', +- ['asrep etype_info2 des3-cbc-sha1 KRBTEST.COMuser', +- 'asrep etype_info des3-cbc-sha1 KRBTEST.COMuser', ++test_etinfo('user', 'rc4-hmac-exp rc4', ++ ['asrep etype_info2 rc4-hmac KRBTEST.COMuser', ++ 'asrep etype_info rc4-hmac KRBTEST.COMuser', + 'asrep pw_salt KRBTEST.COMuser']) + + # With a newer enctype in the request (even if it is not the most +@@ -39,9 +38,9 @@ test_etinfo('user', 'rc4 aes256-cts', + + # In preauth-required errors, PA-PW-SALT does not appear, but the same + # etype-info2 values are expected. +-test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4', +- ['error etype_info2 des3-cbc-sha1 KRBTEST.COMpreauthuser', +- 'error etype_info des3-cbc-sha1 KRBTEST.COMpreauthuser']) ++test_etinfo('preauthuser', 'rc4-hmac-exp rc4', ++ ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser', ++ 'error etype_info rc4-hmac KRBTEST.COMpreauthuser']) + test_etinfo('preauthuser', 'rc4 aes256-cts', + ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser']) + +@@ -50,8 +49,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts', + # (to allow for preauth mechs which don't depend on long-term keys). + # An AS-REP cannot be generated without preauth as there is no reply + # key. +-test_etinfo('rc4user', 'des3', []) +-test_etinfo('nokeyuser', 'des3', []) ++test_etinfo('rc4user', 'aes128-cts', []) ++test_etinfo('nokeyuser', 'aes128-cts', []) + + # Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED + # error if the client does optimistic preauth. +diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py +index e9840dfae8..583c2fa27e 100755 +--- a/src/tests/t_keyrollover.py ++++ b/src/tests/t_keyrollover.py +@@ -37,9 +37,9 @@ realm.run([klist, '-e'], expected_msg=msg) + + # Test that the KDC only accepts the first enctype for a kvno, for a + # local-realm TGS request. To set this up, we abuse an edge-case +-# behavior of modprinc -kvno. First, set up a DES3 krbtgt entry at ++# behavior of modprinc -kvno. First, set up an aes128-sha2 krbtgt entry at + # kvno 1 and cache a krbtgt ticket. +-realm.run([kadminl, 'cpw', '-randkey', '-e', 'des3-cbc-sha1', ++realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes128-cts-hmac-sha256-128', + realm.krbtgt_princ]) + realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ]) + realm.kinit(realm.user_princ, password('user')) +@@ -50,9 +50,9 @@ realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-cts', + realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ]) + out = realm.run([kadminl, 'getprinc', realm.krbtgt_princ]) + if 'vno 1, aes256-cts' not in out or \ +- 'vno 1, DEPRECATED:des3-cbc-sha1' not in out: ++ 'vno 1, aes128-cts-hmac-sha256-128' not in out: + fail('keyrollover: setup for TGS enctype test failed') +-# Now present the DES3 ticket to the KDC and make sure it's rejected. ++# Now present the aes128-sha2 ticket to the KDC and make sure it's rejected. + realm.run([kvno, realm.host_princ], expected_code=1) + + realm.stop() +diff --git a/src/tests/t_mkey.py b/src/tests/t_mkey.py +index 32f4070bcb..da0ed1831e 100755 +--- a/src/tests/t_mkey.py ++++ b/src/tests/t_mkey.py +@@ -7,7 +7,6 @@ import struct + # default enctype for master keys. + aes256 = 'aes256-cts-hmac-sha1-96' + aes128 = 'aes128-cts-hmac-sha1-96' +-des3 = 'des3-cbc-sha1' + defetype = aes256 + + realm = K5Realm(create_host=False, start_kadmind=True) +@@ -300,40 +299,6 @@ if 'Decrypt integrity check failed' in out or 'added to keytab' not in out: + + realm.stop() + +-# Load a dump file created with krb5 1.6, before the master key +-# rollover changes were introduced. Write out an old-format stash +-# file consistent with the dump's master password ("footes"). The K/M +-# entry in this database will not have actkvno tl-data because it was +-# created prior to master key rollover support. Verify that: +-# 1. We can access the database using the old-format stash file. +-# 2. list_mkeys displays the same list as for a post-1.7 KDB. +-mark('pre-1.7 stash file') +-dumpfile = os.path.join(srctop, 'tests', 'dumpfiles', 'dump.16') +-os.remove(stash_file) +-f = open(stash_file, 'wb') +-f.write(struct.pack('=HL24s', 16, 24, +- b'\xF8\x3E\xFB\xBA\x6D\x80\xD9\x54\xE5\x5D\xF2\xE0' +- b'\x94\xAD\x6D\x86\xB5\x16\x37\xEC\x7C\x8A\xBC\x86')) +-f.close() +-realm.run([kdb5_util, 'load', dumpfile]) +-nprincs = len(realm.run([kadminl, 'listprincs']).splitlines()) +-check_mkvno('K/M', 1) +-check_mkey_list((1, des3, True, True)) +- +-# Create a new master key and verify that, without actkvkno tl-data: +-# 1. list_mkeys displays the same as for a post-1.7 KDB. +-# 2. update_princ_encryption still targets mkvno 1. +-# 3. libkadm5 still uses mkvno 1 for key changes. +-# 4. use_mkey creates the same list as for a post-1.7 KDB. +-mark('rollover from pre-1.7 KDB') +-add_mkey([]) +-check_mkey_list((2, defetype, False, False), (1, des3, True, True)) +-update_princ_encryption(False, 1, 0, nprincs - 1) +-realm.run([kadminl, 'addprinc', '-randkey', realm.user_princ]) +-check_mkvno(realm.user_princ, 1) +-realm.run([kdb5_util, 'use_mkey', '2', 'now-1day']) +-check_mkey_list((2, defetype, True, True), (1, des3, True, False)) +- + # Regression test for #8395. Purge the master key and verify that a + # master key fetch does not segfault. + mark('#8395 regression test') +diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py +index 65084bbf35..55ca897459 100755 +--- a/src/tests/t_salt.py ++++ b/src/tests/t_salt.py +@@ -16,13 +16,12 @@ def test_salt(realm, e1, salt, e2): + + # Enctype/salt pairs chosen with non-default salt types. + # The enctypes are mostly arbitrary. +-salts = [('des3-cbc-sha1', 'norealm'), ++salts = [('aes128-cts-hmac-sha1-96', 'norealm'), + ('arcfour-hmac', 'onlyrealm'), + ('aes128-cts-hmac-sha1-96', 'special')] + # These enctypes are chosen to cover the different string-to-key routines. + # Omit ":normal" from aes256 to check that salttype defaulting works. +-second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal', +- 'des3-cbc-sha1:normal'] ++second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal'] + + # Test using different salt types in a principal's key list. + # Parameters from one key in the list must not leak over to later ones. +diff --git a/src/util/k5test.py b/src/util/k5test.py +index 2a86c5cdfc..d823653aa0 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -1338,13 +1338,6 @@ _passes = [ + # No special settings; exercises AES256. + ('default', None, None, None), + +- # Exercise the DES3 enctype. +- ('des3', None, +- {'libdefaults': {'permitted_enctypes': 'des3'}}, +- {'realms': {'$realm': { +- 'supported_enctypes': 'des3-cbc-sha1:normal', +- 'master_key_type': 'des3-cbc-sha1'}}}), +- + # Exercise the arcfour enctype. + ('arcfour', None, + {'libdefaults': {'permitted_enctypes': 'rc4'}}, +diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm +index 1aebdd0b4a..c38eefd2bd 100644 +--- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm ++++ b/src/windows/leash/htmlhelp/html/Encryption_Types.htm +@@ -79,19 +79,6 @@ will have an entry in the Encryption type column.
+ Description + + +- des3- +- The triple DES family improves on +-the original DES (Data Encryption Standard) by using 3 separate 56-bit +-keys. Some modes of 3DES are considered weak while others are strong +-(if slow).
    +-
  • des3-cbc-sha1
    • +-
  • des3-cbc-raw (weak)
    • +-
  • des3-hmac-sha1
    • +-
  • des3-cbc-sha1-kd
    • +-
+- +- +- + aes + The AES Advanced Encryption Standard + family, like 3DES, is a symmetric block cipher and was designed +-- +2.45.1 + diff --git a/SOURCES/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/SOURCES/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch new file mode 100644 index 0000000..989b501 --- /dev/null +++ b/SOURCES/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -0,0 +1,612 @@ +From 7b6453903c248a761d3ceb538dfacebbf3d3a9ff Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Fri, 9 Nov 2018 15:12:21 -0500 +Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 + +NB: Use openssl's PRNG in FIPS mode and taint within krad. + +A lot of the FIPS error conditions from OpenSSL are incredibly +mysterious (at best, things return NULL unexpectedly; at worst, +internal assertions are tripped; most of the time, you just get +ENOMEM). In order to cope with this, we need to have some level of +awareness of what we can and can't safely call. + +This will slow down some calls slightly (FIPS_mode() takes multiple +locks), but not for any ciphers we care about - which is to say that +AES is fine. Shame about SPAKE though. + +post6 restores MD4 (and therefore keygen-only RC4). + +post7 restores MD5 and adds radius_md5_fips_override. + +post8 silences a static analyzer warning. + +Last-updated: krb5-1.20 +--- + doc/admin/conf_files/krb5_conf.rst | 6 +++ + src/lib/crypto/krb/prng.c | 15 +++++- + .../crypto/openssl/enc_provider/camellia.c | 6 +++ + src/lib/crypto/openssl/enc_provider/rc4.c | 13 +++++- + .../crypto/openssl/hash_provider/hash_evp.c | 12 +++++ + src/lib/crypto/openssl/hmac.c | 6 ++- + src/lib/krad/attr.c | 46 ++++++++++++++----- + src/lib/krad/attrset.c | 5 +- + src/lib/krad/internal.h | 28 ++++++++++- + src/lib/krad/packet.c | 22 +++++---- + src/lib/krad/remote.c | 10 +++- + src/lib/krad/t_attr.c | 3 +- + src/lib/krad/t_attrset.c | 4 +- + src/plugins/preauth/spake/spake_client.c | 6 +++ + src/plugins/preauth/spake/spake_kdc.c | 6 +++ + 15 files changed, 155 insertions(+), 33 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index f22d5db11b..a33711d918 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -330,6 +330,12 @@ The libdefaults section may contain any of the following relations: + qualification of shortnames, set this relation to the empty string + with ``qualify_shortname = ""``. (New in release 1.18.) + ++**radius_md5_fips_override** ++ Downstream-only option to enable use of MD5 in RADIUS ++ communication (libkrad). This allows for local (or protected ++ tunnel) communication with a RADIUS server that doesn't use krad ++ (e.g., freeradius) while in FIPS mode. ++ + **rdns** + If this flag is true, reverse name lookup will be used in addition + to forward name lookup to canonicalizing hostnames for use in +diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c +index d6b79e2dea..9e80a03d21 100644 +--- a/src/lib/crypto/krb/prng.c ++++ b/src/lib/crypto/krb/prng.c +@@ -26,6 +26,12 @@ + + #include "crypto_int.h" + ++#include ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#include ++#endif ++ + krb5_error_code KRB5_CALLCONV + krb5_c_random_seed(krb5_context context, krb5_data *data) + { +@@ -96,9 +102,16 @@ cleanup: + static krb5_boolean + get_os_entropy(unsigned char *buf, size_t len) + { +-#if defined(__linux__) && defined(SYS_getrandom) + int r; + ++ /* A wild FIPS mode appeared! */ ++ if (FIPS_mode()) { ++ /* The return codes on this API are not good */ ++ r = RAND_bytes(buf, len); ++ return r == 1; ++ } ++ ++#if defined(__linux__) && defined(SYS_getrandom) + while (len > 0) { + /* + * Pull from the /dev/urandom pool, but require it to have been seeded. +diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c +index 01920e6ce1..d9f327add6 100644 +--- a/src/lib/crypto/openssl/enc_provider/camellia.c ++++ b/src/lib/crypto/openssl/enc_provider/camellia.c +@@ -387,6 +387,9 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data, + unsigned char blockY[CAMELLIA_BLOCK_SIZE], blockB[CAMELLIA_BLOCK_SIZE]; + struct iov_cursor cursor; + ++ if (FIPS_mode()) ++ return KRB5_CRYPTO_INTERNAL; ++ + if (output->length < CAMELLIA_BLOCK_SIZE) + return KRB5_BAD_MSIZE; + +@@ -418,6 +421,9 @@ static krb5_error_code + krb5int_camellia_init_state (const krb5_keyblock *key, krb5_keyusage usage, + krb5_data *state) + { ++ if (FIPS_mode()) ++ return KRB5_CRYPTO_INTERNAL; ++ + state->length = 16; + state->data = (void *) malloc(16); + if (state->data == NULL) +diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c +index 448d563348..ce63cb5f1b 100644 +--- a/src/lib/crypto/openssl/enc_provider/rc4.c ++++ b/src/lib/crypto/openssl/enc_provider/rc4.c +@@ -69,6 +69,9 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, + EVP_CIPHER_CTX *ctx = NULL; + struct arcfour_state *arcstate; + ++ if (FIPS_mode()) ++ return KRB5_CRYPTO_INTERNAL; ++ + arcstate = (state != NULL) ? (void *)state->data : NULL; + if (arcstate != NULL) { + ctx = arcstate->ctx; +@@ -116,7 +119,12 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, + static void + k5_arcfour_free_state(krb5_data *state) + { +- struct arcfour_state *arcstate = (void *)state->data; ++ struct arcfour_state *arcstate; ++ ++ if (FIPS_mode()) ++ return; ++ ++ arcstate = (void *) state->data; + + EVP_CIPHER_CTX_free(arcstate->ctx); + free(arcstate); +@@ -128,6 +136,9 @@ k5_arcfour_init_state(const krb5_keyblock *key, + { + struct arcfour_state *arcstate; + ++ if (FIPS_mode()) ++ return KRB5_CRYPTO_INTERNAL; ++ + /* + * The cipher state here is a saved pointer to a struct arcfour_state + * object, rather than a flat byte array as in most enc providers. The +diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c +index f2fbffdb29..11659908bb 100644 +--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c ++++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c +@@ -60,6 +60,11 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, + if (ctx == NULL) + return ENOMEM; + ++ if (type == EVP_md4() || type == EVP_md5()) { ++ /* See comments below in hash_md4() and hash_md5(). */ ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); ++ } ++ + ok = EVP_DigestInit_ex(ctx, type, NULL); + for (i = 0; i < num_data; i++) { + if (!SIGN_IOV(&data[i])) +@@ -78,6 +83,11 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, + static krb5_error_code + hash_md4(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) + { ++ /* ++ * MD4 is needed in FIPS mode to perform key generation for RC4 keys used ++ * by IPA. These keys are only used along a (separately) secured channel ++ * for legacy reasons when performing trusts to Active Directory. ++ */ + return hash_evp(EVP_md4(), data, num_data, output); + } + +@@ -90,6 +100,8 @@ const struct krb5_hash_provider krb5int_hash_md4 = { + static krb5_error_code + hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) + { ++ /* MD5 is needed in FIPS mode for communication with RADIUS servers. This ++ * is gated in libkrad by libdefaults->radius_md5_fips_override. */ + return hash_evp(EVP_md5(), data, num_data, output); + } + +diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c +index bf12b8d6a0..f21e268f7f 100644 +--- a/src/lib/crypto/openssl/hmac.c ++++ b/src/lib/crypto/openssl/hmac.c +@@ -111,7 +111,11 @@ map_digest(const struct krb5_hash_provider *hash) + return EVP_sha256(); + else if (hash == &krb5int_hash_sha384) + return EVP_sha384(); +- else if (hash == &krb5int_hash_md5) ++ ++ if (FIPS_mode()) ++ return NULL; ++ ++ if (hash == &krb5int_hash_md5) + return EVP_md5(); + else if (hash == &krb5int_hash_md4) + return EVP_md4(); +diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c +index 9c13d9d755..42d354a3b5 100644 +--- a/src/lib/krad/attr.c ++++ b/src/lib/krad/attr.c +@@ -38,7 +38,8 @@ + typedef krb5_error_code + (*attribute_transform_fn)(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + typedef struct { + const char *name; +@@ -51,12 +52,14 @@ typedef struct { + static krb5_error_code + user_password_encode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + static krb5_error_code + user_password_decode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *ignored); + + static const attribute_record attributes[UCHAR_MAX] = { + {"User-Name", 1, MAX_ATTRSIZE, NULL, NULL}, +@@ -128,7 +131,8 @@ static const attribute_record attributes[UCHAR_MAX] = { + static krb5_error_code + user_password_encode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips) + { + const unsigned char *indx; + krb5_error_code retval; +@@ -154,8 +158,15 @@ user_password_encode(krb5_context ctx, const char *secret, + for (blck = 0, indx = auth; blck * BLOCKSIZE < len; blck++) { + memcpy(tmp.data + seclen, indx, BLOCKSIZE); + +- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp, +- &sum); ++ if (kr_use_fips(ctx)) { ++ /* Skip encryption here. Taint so that we won't pass it out of ++ * the machine by accident. */ ++ *is_fips = TRUE; ++ sum.contents = calloc(1, BLOCKSIZE); ++ } else { ++ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp, ++ &sum); ++ } + if (retval != 0) { + zap(tmp.data, tmp.length); + zap(outbuf, len); +@@ -180,7 +191,8 @@ user_password_encode(krb5_context ctx, const char *secret, + static krb5_error_code + user_password_decode(krb5_context ctx, const char *secret, + const unsigned char *auth, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips) + { + const unsigned char *indx; + krb5_error_code retval; +@@ -204,8 +216,15 @@ user_password_decode(krb5_context ctx, const char *secret, + for (blck = 0, indx = auth; blck * BLOCKSIZE < in->length; blck++) { + memcpy(tmp.data + seclen, indx, BLOCKSIZE); + +- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, +- &tmp, &sum); ++ if (kr_use_fips(ctx)) { ++ /* Skip encryption here. Taint so that we won't pass it out of ++ * the machine by accident. */ ++ *is_fips = TRUE; ++ sum.contents = calloc(1, BLOCKSIZE); ++ } else { ++ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, ++ &tmp, &sum); ++ } + if (retval != 0) { + zap(tmp.data, tmp.length); + zap(outbuf, in->length); +@@ -248,7 +267,7 @@ krb5_error_code + kr_attr_encode(krb5_context ctx, const char *secret, + const unsigned char *auth, krad_attr type, + const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE], +- size_t *outlen) ++ size_t *outlen, krb5_boolean *is_fips) + { + krb5_error_code retval; + +@@ -265,7 +284,8 @@ kr_attr_encode(krb5_context ctx, const char *secret, + return 0; + } + +- return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen); ++ return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen, ++ is_fips); + } + + krb5_error_code +@@ -274,6 +294,7 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, + unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen) + { + krb5_error_code retval; ++ krb5_boolean ignored; + + retval = kr_attr_valid(type, in); + if (retval != 0) +@@ -288,7 +309,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, + return 0; + } + +- return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen); ++ return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen, ++ &ignored); + } + + krad_attr +diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c +index f309f1581c..6ec031e320 100644 +--- a/src/lib/krad/attrset.c ++++ b/src/lib/krad/attrset.c +@@ -167,7 +167,8 @@ krad_attrset_copy(const krad_attrset *set, krad_attrset **copy) + krb5_error_code + kr_attrset_encode(const krad_attrset *set, const char *secret, + const unsigned char *auth, +- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen) ++ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen, ++ krb5_boolean *is_fips) + { + unsigned char buffer[MAX_ATTRSIZE]; + krb5_error_code retval; +@@ -181,7 +182,7 @@ kr_attrset_encode(const krad_attrset *set, const char *secret, + + K5_TAILQ_FOREACH(a, &set->list, list) { + retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr, +- buffer, &attrlen); ++ buffer, &attrlen, is_fips); + if (retval != 0) + return retval; + +diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h +index 7619563fc5..e123763954 100644 +--- a/src/lib/krad/internal.h ++++ b/src/lib/krad/internal.h +@@ -39,6 +39,8 @@ + #include + #include + ++#include ++ + #ifndef UCHAR_MAX + #define UCHAR_MAX 255 + #endif +@@ -49,6 +51,13 @@ + + typedef struct krad_remote_st krad_remote; + ++struct krad_packet_st { ++ char buffer[KRAD_PACKET_SIZE_MAX]; ++ krad_attrset *attrset; ++ krb5_data pkt; ++ krb5_boolean is_fips; ++}; ++ + /* Validate constraints of an attribute. */ + krb5_error_code + kr_attr_valid(krad_attr type, const krb5_data *data); +@@ -57,7 +66,8 @@ kr_attr_valid(krad_attr type, const krb5_data *data); + krb5_error_code + kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth, + krad_attr type, const krb5_data *in, +- unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + /* Decode an attribute. */ + krb5_error_code +@@ -69,7 +79,8 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, + krb5_error_code + kr_attrset_encode(const krad_attrset *set, const char *secret, + const unsigned char *auth, +- unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen); ++ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen, ++ krb5_boolean *is_fips); + + /* Decode attributes from a buffer. */ + krb5_error_code +@@ -156,4 +167,17 @@ gai_error_code(int err) + } + } + ++static inline krb5_boolean ++kr_use_fips(krb5_context ctx) ++{ ++ int val = 0; ++ ++ if (!FIPS_mode()) ++ return 0; ++ ++ (void)profile_get_boolean(ctx->profile, "libdefaults", ++ "radius_md5_fips_override", NULL, 0, &val); ++ return !val; ++} ++ + #endif /* INTERNAL_H_ */ +diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c +index c597174b65..fc2d248001 100644 +--- a/src/lib/krad/packet.c ++++ b/src/lib/krad/packet.c +@@ -53,12 +53,6 @@ typedef unsigned char uchar; + #define pkt_auth(p) ((uchar *)offset(&(p)->pkt, OFFSET_AUTH)) + #define pkt_attr(p) ((unsigned char *)offset(&(p)->pkt, OFFSET_ATTR)) + +-struct krad_packet_st { +- char buffer[KRAD_PACKET_SIZE_MAX]; +- krad_attrset *attrset; +- krb5_data pkt; +-}; +- + typedef struct { + uchar x[(UCHAR_MAX + 1) / 8]; + } idmap; +@@ -187,8 +181,14 @@ auth_generate_response(krb5_context ctx, const char *secret, + memcpy(data.data + response->pkt.length, secret, strlen(secret)); + + /* Hash it. */ +- retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data, +- &hash); ++ if (kr_use_fips(ctx)) { ++ /* This checksum does very little security-wise anyway, so don't ++ * taint. */ ++ hash.contents = calloc(1, AUTH_FIELD_SIZE); ++ } else { ++ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data, ++ &hash); ++ } + free(data.data); + if (retval != 0) + return retval; +@@ -276,7 +276,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, + + /* Encode the attributes. */ + retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt), +- &attrset_len); ++ &attrset_len, &pkt->is_fips); + if (retval != 0) + goto error; + +@@ -314,7 +314,7 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code, + + /* Encode the attributes. */ + retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt), +- &attrset_len); ++ &attrset_len, &pkt->is_fips); + if (retval != 0) + goto error; + +@@ -451,6 +451,8 @@ krad_packet_decode_response(krb5_context ctx, const char *secret, + const krb5_data * + krad_packet_encode(const krad_packet *pkt) + { ++ if (pkt->is_fips) ++ return NULL; + return &pkt->pkt; + } + +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index 06ae751bc8..929f1cef67 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -263,7 +263,7 @@ on_io_write(krad_remote *rr) + request *r; + + K5_TAILQ_FOREACH(r, &rr->list, list) { +- tmp = krad_packet_encode(r->request); ++ tmp = &r->request->pkt; + + /* If the packet has already been sent, do nothing. */ + if (r->sent == tmp->length) +@@ -359,7 +359,7 @@ on_io_read(krad_remote *rr) + if (req != NULL) { + K5_TAILQ_FOREACH(r, &rr->list, list) { + if (r->request == req && +- r->sent == krad_packet_encode(req)->length) { ++ r->sent == req->pkt.length) { + request_finish(r, 0, rsp); + break; + } +@@ -460,6 +460,12 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, + (krad_packet_iter_cb)iterator, &r, &tmp); + if (retval != 0) + goto error; ++ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL && ++ rr->info->ai_family != AF_UNIX) { ++ /* This would expose cleartext passwords, so abort. */ ++ retval = ESOCKTNOSUPPORT; ++ goto error; ++ } + + K5_TAILQ_FOREACH(r, &rr->list, list) { + if (r->request == tmp) { +diff --git a/src/lib/krad/t_attr.c b/src/lib/krad/t_attr.c +index eb2a780c89..4d285ad9de 100644 +--- a/src/lib/krad/t_attr.c ++++ b/src/lib/krad/t_attr.c +@@ -50,6 +50,7 @@ main() + const char *tmp; + krb5_data in; + size_t len; ++ krb5_boolean is_fips = FALSE; + + noerror(krb5_init_context(&ctx)); + +@@ -73,7 +74,7 @@ main() + in = string2data((char *)decoded); + retval = kr_attr_encode(ctx, secret, auth, + krad_attr_name2num("User-Password"), +- &in, outbuf, &len); ++ &in, outbuf, &len, &is_fips); + insist(retval == 0); + insist(len == sizeof(encoded)); + insist(memcmp(outbuf, encoded, len) == 0); +diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c +index 7928335ca4..0f95762534 100644 +--- a/src/lib/krad/t_attrset.c ++++ b/src/lib/krad/t_attrset.c +@@ -49,6 +49,7 @@ main() + krb5_context ctx; + size_t len = 0, encode_len; + krb5_data tmp; ++ krb5_boolean is_fips = FALSE; + + noerror(krb5_init_context(&ctx)); + noerror(krad_attrset_new(ctx, &set)); +@@ -62,7 +63,8 @@ main() + noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp)); + + /* Encode attrset. */ +- noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len)); ++ noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len, ++ &is_fips)); + krad_attrset_free(set); + + /* Manually encode User-Name. */ +diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c +index 00734a13b5..a3ce22b70f 100644 +--- a/src/plugins/preauth/spake/spake_client.c ++++ b/src/plugins/preauth/spake/spake_client.c +@@ -38,6 +38,8 @@ + #include "groups.h" + #include + ++#include ++ + typedef struct reqstate_st { + krb5_pa_spake *msg; /* set in prep_questions, used in process */ + krb5_keyblock *initial_key; +@@ -375,6 +377,10 @@ clpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; ++ ++ if (FIPS_mode()) ++ return KRB5_CRYPTO_INTERNAL; ++ + vt = (krb5_clpreauth_vtable)vtable; + vt->name = "spake"; + vt->pa_type_list = pa_types; +diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c +index 1a772d450f..232e78bc05 100644 +--- a/src/plugins/preauth/spake/spake_kdc.c ++++ b/src/plugins/preauth/spake/spake_kdc.c +@@ -41,6 +41,8 @@ + + #include + ++#include ++ + /* + * The SPAKE kdcpreauth module uses a secure cookie containing the following + * concatenated fields (all integer fields are big-endian): +@@ -551,6 +553,10 @@ kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; ++ ++ if (FIPS_mode()) ++ return KRB5_CRYPTO_INTERNAL; ++ + vt = (krb5_kdcpreauth_vtable)vtable; + vt->name = "spake"; + vt->pa_type_list = pa_types; +-- +2.45.1 + diff --git a/SOURCES/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch b/SOURCES/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch new file mode 100644 index 0000000..b339700 --- /dev/null +++ b/SOURCES/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch @@ -0,0 +1,82 @@ +From 707fa7bd2be6327343dc8fc5c20dc77645524518 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 5 May 2022 17:15:12 +0200 +Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection + with FIPS + +libkrad allows to establish connections only to UNIX socket in FIPS +mode, because MD5 digest is not considered safe enough to be used for +network communication. However, FreeRadius requires connection on TCP or +UDP ports. + +This commit allows TCP or UDP connections in FIPS mode if destination is +localhost. + +Resolves: rhbz#2082189 +--- + src/lib/krad/remote.c | 35 +++++++++++++++++++++++++++++++++-- + 1 file changed, 33 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index 929f1cef67..063f17a613 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -33,6 +33,7 @@ + + #include + #include ++#include + + #include + +@@ -74,6 +75,35 @@ on_io(verto_ctx *ctx, verto_ev *ev); + static void + on_timeout(verto_ctx *ctx, verto_ev *ev); + ++static in_addr_t get_in_addr(struct addrinfo *info) ++{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; } ++ ++static struct in6_addr *get_in6_addr(struct addrinfo *info) ++{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); } ++ ++static bool is_inet_localhost(struct addrinfo *info) ++{ ++ struct addrinfo *p; ++ ++ for (p = info; p; p = p->ai_next) { ++ switch (p->ai_family) { ++ case AF_INET: ++ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET ++ >> IN_CLASSA_NSHIFT)) ++ return false; ++ break; ++ case AF_INET6: ++ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p))) ++ return false; ++ break; ++ default: ++ return false; ++ } ++ } ++ ++ return true; ++} ++ + /* Iterate over the set of outstanding packets. */ + static const krad_packet * + iterator(request **out) +@@ -460,8 +490,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, + (krad_packet_iter_cb)iterator, &r, &tmp); + if (retval != 0) + goto error; +- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL && +- rr->info->ai_family != AF_UNIX) { ++ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL ++ && rr->info->ai_family != AF_UNIX ++ && !is_inet_localhost(rr->info)) { + /* This would expose cleartext passwords, so abort. */ + retval = ESOCKTNOSUPPORT; + goto error; +-- +2.45.1 + diff --git a/SOURCES/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch b/SOURCES/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch new file mode 100644 index 0000000..ceb9595 --- /dev/null +++ b/SOURCES/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch @@ -0,0 +1,41 @@ +From 1da88bea558348be2974470774aa688f8be634c0 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 7 Dec 2022 13:22:42 +0100 +Subject: [PATCH] [downstream] Make tests compatible with + sssd_krb5_locator_plugin.so + +The sssd_krb5_locator_plugin.so plugin provided by sssd-client conflicts +with the upstream test t_discover_uri.py. The test has to be modified in +order to avoid false positive. +--- + src/lib/krb5/os/t_discover_uri.py | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/lib/krb5/os/t_discover_uri.py b/src/lib/krb5/os/t_discover_uri.py +index 87bac17929..26bc95a8dc 100644 +--- a/src/lib/krb5/os/t_discover_uri.py ++++ b/src/lib/krb5/os/t_discover_uri.py +@@ -1,3 +1,4 @@ ++from os.path import exists + from k5test import * + + entries = ('URI _kerberos.TEST krb5srv::kkdcp:https://kdc1 1 1\n', +@@ -37,8 +38,14 @@ realm.env['RESOLV_WRAPPER_HOSTS'] = hosts_filename + out = realm.run(['./t_locate_kdc', 'TEST'], env=realm.env) + l = out.splitlines() + ++if (exists('/usr/lib/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so') ++ or exists('/usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so')): ++ line_range = range(6, 14) ++else: ++ line_range = range(4, 12) ++ + j = 0 +-for i in range(4, 12): ++for i in line_range: + if l[i].strip() != expected[j]: + fail('URI answers do not match') + j += 1 +-- +2.45.1 + diff --git a/SOURCES/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch b/SOURCES/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch new file mode 100644 index 0000000..ef6f825 --- /dev/null +++ b/SOURCES/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch @@ -0,0 +1,120 @@ +From 775ed8588cc21385fb16a4cec4a861f0d578ce04 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 5 Jan 2023 20:06:47 +0100 +Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header + +The inclusion of openssl/fips.h, which provides the declaration of +FIPS_mode(), was removed from openssl/crypto.h. As a consequence, this +header file has to be included explicitly in krb5 code. +--- + src/lib/crypto/krb/prng.c | 4 +++- + src/lib/crypto/openssl/enc_provider/camellia.c | 1 + + src/lib/crypto/openssl/enc_provider/rc4.c | 4 ++++ + src/lib/crypto/openssl/hmac.c | 1 + + src/lib/krad/internal.h | 4 ++++ + src/plugins/preauth/spake/spake_client.c | 4 ++++ + src/plugins/preauth/spake/spake_kdc.c | 4 ++++ + 7 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c +index 9e80a03d21..ae37c77518 100644 +--- a/src/lib/crypto/krb/prng.c ++++ b/src/lib/crypto/krb/prng.c +@@ -28,7 +28,9 @@ + + #include + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#else + #include + #endif + +diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c +index d9f327add6..3dd3b0624f 100644 +--- a/src/lib/crypto/openssl/enc_provider/camellia.c ++++ b/src/lib/crypto/openssl/enc_provider/camellia.c +@@ -32,6 +32,7 @@ + #include + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include ++#include + #else + #include + #endif +diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c +index ce63cb5f1b..6a83f10d27 100644 +--- a/src/lib/crypto/openssl/enc_provider/rc4.c ++++ b/src/lib/crypto/openssl/enc_provider/rc4.c +@@ -38,6 +38,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + /* + * The loopback field is a pointer to the structure. If the application copies + * the state (not a valid operation, but one which happens to works with some +diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c +index f21e268f7f..25a419d73a 100644 +--- a/src/lib/crypto/openssl/hmac.c ++++ b/src/lib/crypto/openssl/hmac.c +@@ -59,6 +59,7 @@ + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include + #include ++#include + #else + #include + #endif +diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h +index e123763954..a17b6f39b1 100644 +--- a/src/lib/krad/internal.h ++++ b/src/lib/krad/internal.h +@@ -41,6 +41,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + #ifndef UCHAR_MAX + #define UCHAR_MAX 255 + #endif +diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c +index a3ce22b70f..13c699071f 100644 +--- a/src/plugins/preauth/spake/spake_client.c ++++ b/src/plugins/preauth/spake/spake_client.c +@@ -40,6 +40,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + typedef struct reqstate_st { + krb5_pa_spake *msg; /* set in prep_questions, used in process */ + krb5_keyblock *initial_key; +diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c +index 232e78bc05..3394f8a58e 100644 +--- a/src/plugins/preauth/spake/spake_kdc.c ++++ b/src/plugins/preauth/spake/spake_kdc.c +@@ -43,6 +43,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif ++ + /* + * The SPAKE kdcpreauth module uses a secure cookie containing the following + * concatenated fields (all integer fields are big-endian): +-- +2.45.1 + diff --git a/SOURCES/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch b/SOURCES/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch new file mode 100644 index 0000000..bd4ab77 --- /dev/null +++ b/SOURCES/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch @@ -0,0 +1,31 @@ +From 4fd20741afcf76085ea62eb015cd589bb9392a7b Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Mon, 9 Jan 2023 22:39:52 +0100 +Subject: [PATCH] [downstream] Do not set root as ksu file owner + +Upstream Makefile uses the install command to set root as owner of the +ksu executable file. However, this is no longer supported on latest +versions of the Mock build environment. + +In case of ksu, the owner, group, and mode are already set using %attr() +in the specfile. +--- + src/config/pre.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/config/pre.in b/src/config/pre.in +index 7eaa2f351c..e9ae71471e 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) + INSTALL_SCRIPT=@INSTALL_PROGRAM@ + INSTALL_DATA=@INSTALL_DATA@ + INSTALL_SHLIB=@INSTALL_SHLIB@ +-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root ++INSTALL_SETUID=$(INSTALL) + ## This is needed because autoconf will sometimes define @exec_prefix@ to be + ## ${prefix}. + prefix=@prefix@ +-- +2.45.1 + diff --git a/SOURCES/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch b/SOURCES/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch new file mode 100644 index 0000000..5e45141 --- /dev/null +++ b/SOURCES/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch @@ -0,0 +1,165 @@ +From 16f90c007036789d8d9343e8a0cbabfd21853b5a Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 19 Jan 2023 19:22:27 +0100 +Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode + +OpenSSL's restrictions to use KRB5KDF, MD5, and MD4 in FIPS mode are +bypassed in case AES SHA-1 HMAC or RC4 encryption types are allowed by +the crypto policy. +--- + .../crypto/openssl/hash_provider/hash_evp.c | 97 +++++++++++++++++-- + src/lib/crypto/openssl/kdf.c | 2 +- + 2 files changed, 89 insertions(+), 10 deletions(-) + +diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c +index 11659908bb..eb2e693e9f 100644 +--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c ++++ b/src/lib/crypto/openssl/hash_provider/hash_evp.c +@@ -44,6 +44,49 @@ + #define EVP_MD_CTX_free EVP_MD_CTX_destroy + #endif + ++#include ++#include ++#include ++ ++typedef struct ossl_lib_md_context { ++ OSSL_LIB_CTX *libctx; ++ OSSL_PROVIDER *default_provider; ++ OSSL_PROVIDER *legacy_provider; ++} ossl_md_context_t; ++ ++static thread_local ossl_md_context_t *ossl_md_ctx = NULL; ++ ++static krb5_error_code ++init_ossl_md_ctx(ossl_md_context_t *ctx, const char *algo) ++{ ++ ctx->libctx = OSSL_LIB_CTX_new(); ++ if (!ctx->libctx) ++ return KRB5_CRYPTO_INTERNAL; ++ ++ /* Load both legacy and default provider as both may be needed. */ ++ ctx->default_provider = OSSL_PROVIDER_load(ctx->libctx, "default"); ++ ctx->legacy_provider = OSSL_PROVIDER_load(ctx->libctx, "legacy"); ++ ++ if (!(ctx->default_provider && ctx->legacy_provider)) ++ return KRB5_CRYPTO_INTERNAL; ++ ++ return 0; ++} ++ ++static void ++deinit_ossl_ctx(ossl_md_context_t *ctx) ++{ ++ if (ctx->legacy_provider) ++ OSSL_PROVIDER_unload(ctx->legacy_provider); ++ ++ if (ctx->default_provider) ++ OSSL_PROVIDER_unload(ctx->default_provider); ++ ++ if (ctx->libctx) ++ OSSL_LIB_CTX_free(ctx->libctx); ++} ++ ++ + static krb5_error_code + hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, + krb5_data *output) +@@ -60,11 +103,6 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, + if (ctx == NULL) + return ENOMEM; + +- if (type == EVP_md4() || type == EVP_md5()) { +- /* See comments below in hash_md4() and hash_md5(). */ +- EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); +- } +- + ok = EVP_DigestInit_ex(ctx, type, NULL); + for (i = 0; i < num_data; i++) { + if (!SIGN_IOV(&data[i])) +@@ -77,6 +115,43 @@ hash_evp(const EVP_MD *type, const krb5_crypto_iov *data, size_t num_data, + return ok ? 0 : KRB5_CRYPTO_INTERNAL; + } + ++static krb5_error_code ++hash_legacy_evp(const char *algo, const krb5_crypto_iov *data, size_t num_data, ++ krb5_data *output) ++{ ++ krb5_error_code err; ++ EVP_MD *md = NULL; ++ ++ if (!ossl_md_ctx) { ++ ossl_md_ctx = malloc(sizeof(ossl_md_context_t)); ++ if (!ossl_md_ctx) { ++ err = ENOMEM; ++ goto end; ++ } ++ ++ err = init_ossl_md_ctx(ossl_md_ctx, algo); ++ if (err) { ++ deinit_ossl_ctx(ossl_md_ctx); ++ free(ossl_md_ctx); ++ ossl_md_ctx = NULL; ++ goto end; ++ } ++ } ++ ++ md = EVP_MD_fetch(ossl_md_ctx->libctx, algo, NULL); ++ if (!md) { ++ err = KRB5_CRYPTO_INTERNAL; ++ goto end; ++ } ++ ++ err = hash_evp(md, data, num_data, output); ++ ++end: ++ if (md) ++ EVP_MD_free(md); ++ ++ return err; ++} + #endif + + #ifdef K5_OPENSSL_MD4 +@@ -88,7 +163,8 @@ hash_md4(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) + * by IPA. These keys are only used along a (separately) secured channel + * for legacy reasons when performing trusts to Active Directory. + */ +- return hash_evp(EVP_md4(), data, num_data, output); ++ return FIPS_mode() ? hash_legacy_evp("MD4", data, num_data, output) ++ : hash_evp(EVP_md4(), data, num_data, output); + } + + const struct krb5_hash_provider krb5int_hash_md4 = { +@@ -100,9 +176,12 @@ const struct krb5_hash_provider krb5int_hash_md4 = { + static krb5_error_code + hash_md5(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) + { +- /* MD5 is needed in FIPS mode for communication with RADIUS servers. This +- * is gated in libkrad by libdefaults->radius_md5_fips_override. */ +- return hash_evp(EVP_md5(), data, num_data, output); ++ /* ++ * MD5 is needed in FIPS mode for communication with RADIUS servers. This ++ * is gated in libkrad by libdefaults->radius_md5_fips_override. ++ */ ++ return FIPS_mode() ? hash_legacy_evp("MD5", data, num_data, output) ++ : hash_evp(EVP_md5(), data, num_data, output); + } + + const struct krb5_hash_provider krb5int_hash_md5 = { +diff --git a/src/lib/crypto/openssl/kdf.c b/src/lib/crypto/openssl/kdf.c +index 5a43c3d9eb..8528ddc4a9 100644 +--- a/src/lib/crypto/openssl/kdf.c ++++ b/src/lib/crypto/openssl/kdf.c +@@ -198,7 +198,7 @@ k5_derive_random_rfc3961(const struct krb5_enc_provider *enc, krb5_key key, + goto done; + } + +- kdf = EVP_KDF_fetch(NULL, "KRB5KDF", NULL); ++ kdf = EVP_KDF_fetch(NULL, "KRB5KDF", "-fips"); + if (kdf == NULL) { + ret = KRB5_CRYPTO_INTERNAL; + goto done; +-- +2.45.1 + diff --git a/SOURCES/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch b/SOURCES/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch new file mode 100644 index 0000000..57b4a76 --- /dev/null +++ b/SOURCES/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch @@ -0,0 +1,280 @@ +From 23b58199db429603802e338db530677b61561335 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 15 Mar 2023 15:56:34 +0100 +Subject: [PATCH] [downstream] Allow to set PAC ticket signature as + optional + +MS-PAC states that "The ticket signature SHOULD be included in tickets +that are not encrypted to the krbtgt account". However, the +implementation of krb5_kdc_verify_ticket() will require the ticket +signature to be present in case the target of the request is a service +principal. + +In gradual upgrade environments, it results in S4U2Proxy requests +against a 1.20 KDC using a service ticket generated by an older version +KDC to fail. + +This commit adds a krb5_kdc_verify_ticket_ext() function with an extra +switch parameter to tolerate the absence of ticket signature in this +scenario. If the ticket signature is present, it has to be valid, +regardless of this parameter. + +This parameter is set based on the "optional_pac_tkt_chksum" string +attribute of the TGT KDB entry. +--- + doc/admin/admin_commands/kadmin_local.rst | 6 ++++ + doc/appdev/refs/api/index.rst | 1 + + src/include/kdb.h | 1 + + src/include/krb5/krb5.hin | 40 +++++++++++++++++++++++ + src/kdc/kdc_util.c | 32 ++++++++++++++---- + src/lib/krb5/krb/pac.c | 31 +++++++++++++++--- + src/lib/krb5/libkrb5.exports | 1 + + src/man/kadmin.man | 6 ++++ + 8 files changed, 108 insertions(+), 10 deletions(-) + +diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst +index 2435b3c361..58ac79549f 100644 +--- a/doc/admin/admin_commands/kadmin_local.rst ++++ b/doc/admin/admin_commands/kadmin_local.rst +@@ -658,6 +658,12 @@ KDC: + Directory realm when using aes-sha2 keys on the local krbtgt + entry. + ++**optional_pac_tkt_chksum** ++ Boolean value defining the behavior of the KDC in case an expected ++ ticket checksum signed with one of this principal keys is not ++ present in the PAC. This is typically the case for TGS or ++ cross-realm TGS principals when processing S4U2Proxy requests. ++ + This command requires the **modify** privilege. + + Alias: **setstr** +diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst +index d12be47c3c..9b95ebd0f9 100644 +--- a/doc/appdev/refs/api/index.rst ++++ b/doc/appdev/refs/api/index.rst +@@ -225,6 +225,7 @@ Rarely used public interfaces + krb5_is_referral_realm.rst + krb5_kdc_sign_ticket.rst + krb5_kdc_verify_ticket.rst ++ krb5_kdc_verify_ticket_ext.rst + krb5_kt_add_entry.rst + krb5_kt_end_seq_get.rst + krb5_kt_get_entry.rst +diff --git a/src/include/kdb.h b/src/include/kdb.h +index 745b24f351..6075349e5e 100644 +--- a/src/include/kdb.h ++++ b/src/include/kdb.h +@@ -136,6 +136,7 @@ + #define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype" + #define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes" + #define KRB5_KDB_SK_REQUIRE_AUTH "require_auth" ++#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum" + + #if !defined(_WIN32) + +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index c5a625db8f..2d9b64dc85 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -8329,6 +8329,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + const krb5_keyblock *server, + const krb5_keyblock *privsvr, krb5_pac *pac_out); + ++/** ++ * Verify a PAC, possibly including ticket signature ++ * ++ * @param [in] context Library context ++ * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC ++ * @param [in] server_princ Canonicalized name of ticket server ++ * @param [in] server Key to validate server checksum (or NULL) ++ * @param [in] privsvr Key to validate KDC checksum (or NULL) ++ * @paran [in] optional_tkt_chksum Whether to require a ticket checksum ++ * @param [out] pac_out Verified PAC (NULL if no PAC included) ++ * ++ * This function is an extension of krb5_kdc_verify_ticket(), adding the @a ++ * optional_tkt_chksum parameter allowing to tolerate the absence of the PAC ++ * ticket signature. ++ * ++ * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is ++ * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service and ++ * @a optional_tkt_chksum is FALSE, require a ticket signature over @a enc_tkt ++ * in addition to the KDC signature. Place the verified PAC in @a pac_out. If ++ * an invalid PAC signature is found, return an error matching the Windows KDC ++ * protocol code for that condition as closely as possible. ++ * ++ * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return ++ * successfully. ++ * ++ * @note This function does not validate the PAC_CLIENT_INFO buffer. If a ++ * specific value is expected, the caller can make a separate call to ++ * krb5_pac_verify_ext() with a principal but no keys. ++ * ++ * @retval 0 Success; otherwise - Kerberos error codes ++ */ ++krb5_error_code KRB5_CALLCONV ++krb5_kdc_verify_ticket_ext(krb5_context context, ++ const krb5_enc_tkt_part *enc_tkt, ++ krb5_const_principal server_princ, ++ const krb5_keyblock *server, ++ const krb5_keyblock *privsvr, ++ krb5_boolean optional_tkt_chksum, ++ krb5_pac *pac_out); ++ + /** @deprecated Use krb5_kdc_sign_ticket() instead. */ + krb5_error_code KRB5_CALLCONV + krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index fe4e48209a..93415ba862 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -560,16 +560,36 @@ cleanup: + static krb5_error_code + try_verify_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_db_entry *server, krb5_keyblock *server_key, +- const krb5_keyblock *tgt_key, krb5_pac *pac_out) ++ krb5_db_entry *tgt, const krb5_keyblock *tgt_key, ++ krb5_pac *pac_out) + { + krb5_error_code ret; ++ krb5_boolean optional_tkt_chksum; ++ char *str = NULL; + krb5_keyblock *privsvr_key; + + ret = pac_privsvr_key(context, server, tgt_key, &privsvr_key); + if (ret) + return ret; +- ret = krb5_kdc_verify_ticket(context, enc_tkt, server->princ, server_key, +- privsvr_key, pac_out); ++ ++ /* Check if the absence of ticket signature is tolerated for this realm */ ++ ret = krb5_dbe_get_string(context, tgt, ++ KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM, &str); ++ /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not ++ * available here. ++ */ ++ optional_tkt_chksum = !ret && str && (strncasecmp(str, "true", 4) == 0 ++ || strncasecmp(str, "t", 1) == 0 ++ || strncasecmp(str, "yes", 3) == 0 ++ || strncasecmp(str, "y", 1) == 0 ++ || strncasecmp(str, "1", 1) == 0 ++ || strncasecmp(str, "on", 2) == 0); ++ ++ krb5_dbe_free_string(context, str); ++ ++ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, server->princ, ++ server_key, privsvr_key, ++ optional_tkt_chksum, pac_out); + krb5_free_keyblock(context, privsvr_key); + return ret; + } +@@ -599,7 +619,7 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + server_key, NULL, pac_out); + } + +- ret = try_verify_pac(context, enc_tkt, server, server_key, tgt_key, ++ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, tgt_key, + pac_out); + if (ret != KRB5KRB_AP_ERR_MODIFIED && ret != KRB5_BAD_ENCTYPE) + return ret; +@@ -613,8 +633,8 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &old_key, NULL); + if (ret) + return ret; +- ret = try_verify_pac(context, enc_tkt, server, server_key, &old_key, +- pac_out); ++ ret = try_verify_pac(context, enc_tkt, server, server_key, tgt, ++ &old_key, pac_out); + krb5_free_keyblock_contents(context, &old_key); + if (!ret) + return 0; +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index 5d1fdf1ba0..0c0e2ada68 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -594,6 +594,19 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_const_principal server_princ, + const krb5_keyblock *server, + const krb5_keyblock *privsvr, krb5_pac *pac_out) ++{ ++ return krb5_kdc_verify_ticket_ext(context, enc_tkt, server_princ, server, ++ privsvr, FALSE, pac_out); ++} ++ ++krb5_error_code KRB5_CALLCONV ++krb5_kdc_verify_ticket_ext(krb5_context context, ++ const krb5_enc_tkt_part *enc_tkt, ++ krb5_const_principal server_princ, ++ const krb5_keyblock *server, ++ const krb5_keyblock *privsvr, ++ krb5_boolean optional_tkt_chksum, ++ krb5_pac *pac_out) + { + krb5_error_code ret; + krb5_pac pac = NULL; +@@ -602,7 +615,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + krb5_authdata *orig, **ifrel = NULL, **recoded_ifrel = NULL; + uint8_t z = 0; + krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z }; +- krb5_boolean is_service_tkt; ++ krb5_boolean is_service_tkt, has_tkt_chksum = FALSE; + size_t i, j; + + *pac_out = NULL; +@@ -667,11 +680,21 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, + + ret = verify_checksum(context, pac, KRB5_PAC_TICKET_CHECKSUM, privsvr, + KRB5_KEYUSAGE_APP_DATA_CKSUM, recoded_tkt); +- if (ret) +- goto cleanup; ++ if (ret) { ++ if (!optional_tkt_chksum) ++ goto cleanup; ++ else if (ret != ENOENT) ++ goto cleanup; ++ /* Otherwise ticket signature is absent but optional. Proceed... */ ++ } else { ++ has_tkt_chksum = TRUE; ++ } + } ++ /* Else, we make the assumption the ticket signature is absent in case this ++ * is not a service ticket. ++ */ + +- ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr); ++ ret = verify_pac_checksums(context, pac, has_tkt_chksum, server, privsvr); + if (ret) + goto cleanup; + +diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports +index 4c50e935a2..d4b0455c8c 100644 +--- a/src/lib/krb5/libkrb5.exports ++++ b/src/lib/krb5/libkrb5.exports +@@ -463,6 +463,7 @@ krb5_is_thread_safe + krb5_kdc_rep_decrypt_proc + krb5_kdc_sign_ticket + krb5_kdc_verify_ticket ++krb5_kdc_verify_ticket_ext + krb5_kt_add_entry + krb5_kt_client_default + krb5_kt_close +diff --git a/src/man/kadmin.man b/src/man/kadmin.man +index 8413e70ccd..f68eb0569d 100644 +--- a/src/man/kadmin.man ++++ b/src/man/kadmin.man +@@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to + "aes256\-sha1" on the cross\-realm krbtgt entry for an Active + Directory realm when using aes\-sha2 keys on the local krbtgt + entry. ++.TP ++\fBoptional_pac_tkt_chksum\fP ++Boolean value defining the behavior of the KDC in case an expected ticket ++checksum signed with one of this principal keys is not present in the PAC. This ++is typically the case for TGS or cross-realm TGS principals when processing ++S4U2Proxy requests. + .UNINDENT + .sp + This command requires the \fBmodify\fP privilege. +-- +2.45.1 + diff --git a/SOURCES/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch b/SOURCES/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch new file mode 100644 index 0000000..68a2a6d --- /dev/null +++ b/SOURCES/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch @@ -0,0 +1,47 @@ +From 31b9debcf2cbd558f8f315fefb69fc8206b115b4 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 23 May 2023 12:19:54 +0200 +Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature + verification available in FIPS mode + +We recommend using the SHA1 crypto-module in order to allow the +verification of SHA-1 signature for CMS messages. However, this module +does not work in FIPS mode, because the SHA-1 algorithm is absent from +the OpenSSL FIPS provider. + +This commit enables the signature verification process to fetch the +algorithm from a non-FIPS OpenSSL provider. + +Support for SHA-1 CMS signature is still required, especially in order +to interoperate with Active Directory. At least it is until elliptic +curve cryptography is implemented for PKINIT in MIT krb5. +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index cb9c79626c..17dd18e37d 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -1844,8 +1844,17 @@ cms_signeddata_verify(krb5_context context, + if (oid == NULL) + goto cleanup; + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ /* Do not use FIPS provider (even in FIPS mode) because it keeps from ++ * allowing SHA-1 signature verification using the SHA1 crypto-module ++ */ ++ cms = CMS_ContentInfo_new_ex(NULL, "-fips"); ++ if (!cms) ++ goto cleanup; ++#endif ++ + /* decode received CMS message */ +- if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) { ++ if (!d2i_CMS_ContentInfo(&cms, &p, (int)signed_data_len)) { + retval = oerr(context, 0, _("Failed to decode CMS message")); + goto cleanup; + } +-- +2.45.1 + diff --git a/SOURCES/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch b/SOURCES/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch new file mode 100644 index 0000000..30646aa --- /dev/null +++ b/SOURCES/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch @@ -0,0 +1,218 @@ +From c24c9faf859ddc04910a6bc591d8ddb2ada93e80 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 30 May 2023 01:21:48 -0400 +Subject: [PATCH] Enable PKINIT if at least one group is available + +OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman +group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL +does not know about MODP group 2 (1024-bit), which is considered as a +custom group. As a consequence, the PKINIT kdcpreauth module fails to +load in FIPS mode. + +Allow initialization of PKINIT plugin if at least one of the MODP +well-known group parameters successfully decodes. + +[ghudson@mit.edu: minor commit message and code edits] + +ticket: 9096 (new) +(cherry picked from commit 509d8db922e9ad6f108883838473b6178f89874a) +--- + src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +- + src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +- + .../preauth/pkinit/pkinit_crypto_openssl.c | 76 +++++++++++-------- + src/plugins/preauth/pkinit/pkinit_srv.c | 2 +- + src/plugins/preauth/pkinit/pkinit_trace.h | 3 + + 5 files changed, 51 insertions(+), 35 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c +index 725d5bc438..ea9ba454df 100644 +--- a/src/plugins/preauth/pkinit/pkinit_clnt.c ++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c +@@ -1378,7 +1378,7 @@ pkinit_client_plugin_init(krb5_context context, + if (retval) + goto errout; + +- retval = pkinit_init_plg_crypto(&ctx->cryptoctx); ++ retval = pkinit_init_plg_crypto(context, &ctx->cryptoctx); + if (retval) + goto errout; + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index 9fa315d7a0..8bdbea8e95 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -103,7 +103,8 @@ typedef struct _pkinit_cert_matching_data { + /* + * Functions to initialize and cleanup crypto contexts + */ +-krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *); ++krb5_error_code pkinit_init_plg_crypto(krb5_context, ++ pkinit_plg_crypto_context *); + void pkinit_fini_plg_crypto(pkinit_plg_crypto_context); + + krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *); +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 17dd18e37d..8cdc40bfb4 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -47,7 +47,8 @@ + static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context ); + static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ); + +-static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context ); ++static krb5_error_code pkinit_init_dh_params(krb5_context, ++ pkinit_plg_crypto_context); + static void pkinit_fini_dh_params(pkinit_plg_crypto_context ); + + static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx); +@@ -951,7 +952,8 @@ oerr_cert(krb5_context context, krb5_error_code code, X509_STORE_CTX *certctx, + } + + krb5_error_code +-pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) ++pkinit_init_plg_crypto(krb5_context context, ++ pkinit_plg_crypto_context *cryptoctx) + { + krb5_error_code retval = ENOMEM; + pkinit_plg_crypto_context ctx = NULL; +@@ -969,7 +971,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) + if (retval) + goto out; + +- retval = pkinit_init_dh_params(ctx); ++ retval = pkinit_init_dh_params(context, ctx); + if (retval) + goto out; + +@@ -1278,30 +1280,36 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx) + ASN1_OBJECT_free(ctx->id_kp_serverAuth); + } + +-static krb5_error_code +-pkinit_init_dh_params(pkinit_plg_crypto_context plgctx) ++static int ++try_import_group(krb5_context context, const krb5_data *params, ++ const char *name, EVP_PKEY **pkey_out) + { +- krb5_error_code retval = ENOMEM; +- +- plgctx->dh_1024 = decode_dh_params(&oakley_1024); +- if (plgctx->dh_1024 == NULL) +- goto cleanup; +- +- plgctx->dh_2048 = decode_dh_params(&oakley_2048); +- if (plgctx->dh_2048 == NULL) +- goto cleanup; ++ *pkey_out = decode_dh_params(params); ++ if (*pkey_out == NULL) ++ TRACE_PKINIT_DH_GROUP_UNAVAILABLE(context, name); ++ return (*pkey_out != NULL) ? 1 : 0; ++} + +- plgctx->dh_4096 = decode_dh_params(&oakley_4096); +- if (plgctx->dh_4096 == NULL) +- goto cleanup; ++static krb5_error_code ++pkinit_init_dh_params(krb5_context context, pkinit_plg_crypto_context plgctx) ++{ ++ int n = 0; + +- retval = 0; ++ n += try_import_group(context, &oakley_1024, "MODP 2 (1024-bit)", ++ &plgctx->dh_1024); ++ n += try_import_group(context, &oakley_2048, "MODP 14 (2048-bit)", ++ &plgctx->dh_2048); ++ n += try_import_group(context, &oakley_4096, "MODP 16 (4096-bit)", ++ &plgctx->dh_4096); + +-cleanup: +- if (retval) ++ if (n == 0) { + pkinit_fini_dh_params(plgctx); ++ k5_setmsg(context, ENOMEM, ++ _("PKINIT cannot initialize any key exchange groups")); ++ return ENOMEM; ++ } + +- return retval; ++ return 0; + } + + static void +@@ -2912,11 +2920,11 @@ client_create_dh(krb5_context context, + + if (cryptoctx->received_params != NULL) + params = cryptoctx->received_params; +- else if (dh_size == 1024) ++ else if (plg_cryptoctx->dh_1024 != NULL && dh_size == 1024) + params = plg_cryptoctx->dh_1024; +- else if (dh_size == 2048) ++ else if (plg_cryptoctx->dh_2048 != NULL && dh_size == 2048) + params = plg_cryptoctx->dh_2048; +- else if (dh_size == 4096) ++ else if (plg_cryptoctx->dh_4096 != NULL && dh_size == 4096) + params = plg_cryptoctx->dh_4096; + else + goto cleanup; +@@ -3212,19 +3220,23 @@ pkinit_create_td_dh_parameters(krb5_context context, + krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 }; + krb5_algorithm_identifier *alglist[4]; + +- if (opts->dh_min_bits > 4096) { +- ret = KRB5KRB_ERR_GENERIC; +- goto cleanup; +- } +- + i = 0; +- if (opts->dh_min_bits <= 2048) ++ if (plg_cryptoctx->dh_2048 != NULL && opts->dh_min_bits <= 2048) + alglist[i++] = &alg_2048; +- alglist[i++] = &alg_4096; +- if (opts->dh_min_bits <= 1024) ++ if (plg_cryptoctx->dh_4096 != NULL && opts->dh_min_bits <= 4096) ++ alglist[i++] = &alg_4096; ++ if (plg_cryptoctx->dh_1024 != NULL && opts->dh_min_bits <= 1024) + alglist[i++] = &alg_1024; + alglist[i] = NULL; + ++ if (i == 0) { ++ ret = KRB5KRB_ERR_GENERIC; ++ k5_setmsg(context, ret, ++ _("OpenSSL has no supported key exchange groups for " ++ "pkinit_dh_min_bits=%d"), opts->dh_min_bits); ++ goto cleanup; ++ } ++ + ret = k5int_encode_krb5_td_dh_parameters(alglist, &der_alglist); + if (ret) + goto cleanup; +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 1b3bf6d4d0..768a4e559f 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -1222,7 +1222,7 @@ pkinit_server_plugin_init_realm(krb5_context context, const char *realmname, + goto errout; + plgctx->realmname_len = strlen(plgctx->realmname); + +- retval = pkinit_init_plg_crypto(&plgctx->cryptoctx); ++ retval = pkinit_init_plg_crypto(context, &plgctx->cryptoctx); + if (retval) + goto errout; + +diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h +index 259e95c6c2..5ee39c085c 100644 +--- a/src/plugins/preauth/pkinit/pkinit_trace.h ++++ b/src/plugins/preauth/pkinit/pkinit_trace.h +@@ -90,6 +90,9 @@ + #define TRACE_PKINIT_CLIENT_TRYAGAIN(c) \ + TRACE(c, "PKINIT client trying again with KDC-provided parameters") + ++#define TRACE_PKINIT_DH_GROUP_UNAVAILABLE(c, name) \ ++ TRACE(c, "PKINIT key exchange group {str} unsupported", name) ++ + #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \ + TRACE(c, "PKINIT OpenSSL error: {str}", msg) + +-- +2.45.1 + diff --git a/SOURCES/0015-Eliminate-old-style-function-declarations.patch b/SOURCES/0015-Eliminate-old-style-function-declarations.patch new file mode 100644 index 0000000..8d703f1 --- /dev/null +++ b/SOURCES/0015-Eliminate-old-style-function-declarations.patch @@ -0,0 +1,10685 @@ +From b09d402db9ff6dc89b2761482933f0bf47778cea Mon Sep 17 00:00:00 2001 +From: Ken Hornstein +Date: Fri, 9 Jun 2023 23:53:53 -0400 +Subject: [PATCH] Eliminate old-style function declarations + +The C2x standard removes support for non-prototype function +declarations, and clang 15 issues warnings for them +(https://reviews.llvm.org/D122895). Add -Werror=strict-prototypes to +the build and fix all of the non-prototype declarations and +definitions. + +For RPC code, try to be consistent with libtirpc and recent *BSD +versions of rpcgen. This includes casting each time a concrete +function is used as an xdrproc_t value, since each XDR per-type +function accepts a different object pointer type. A few invocations +of xdrproc_t values pass a third argument with value LASTUNSIGNED, +even though XDR per-type functions accept only two parameters. +libtirpc has removed these third arguments; do so here as well. + +[ghudson@mit.edu: added -Werror=strict-prototypes and fixed +declarations it breaks under gcc and clang; added xdrproc_t changes; +rewrote commit message; style changes] + +(cherry picked from commit 4b9d7f7c107f01a61600fddcd8cde3812d0366a2) +--- + src/aclocal.m4 | 2 +- + src/appl/gss-sample/gss-client.c | 29 +--- + src/appl/gss-sample/gss-misc.c | 26 +-- + src/appl/gss-sample/gss-server.c | 2 +- + src/appl/user_user/server.c | 5 +- + src/clients/kdestroy/kdestroy.c | 2 +- + src/clients/kinit/kinit.c | 4 +- + src/clients/klist/klist.c | 2 +- + src/clients/ksu/authorization.c | 95 ++++------ + src/clients/ksu/ccache.c | 108 ++++-------- + src/clients/ksu/heuristic.c | 94 ++++------ + src/clients/ksu/krb_auth_su.c | 49 ++---- + src/clients/ksu/main.c | 40 ++--- + src/clients/kvno/kvno.c | 2 +- + src/include/gssrpc/auth_gssapi.h | 10 +- + src/include/gssrpc/xdr.h | 3 +- + src/include/k5-int.h | 2 +- + src/include/k5-plugin.h | 2 +- + src/include/net-server.h | 6 +- + src/kadmin/cli/getdate.y | 3 - + src/kadmin/cli/kadmin.c | 6 +- + src/kadmin/cli/keytab.c | 4 +- + src/kadmin/dbutil/kdb5_create.c | 16 +- + src/kadmin/dbutil/kdb5_destroy.c | 4 +- + src/kadmin/dbutil/kdb5_stash.c | 4 +- + src/kadmin/dbutil/kdb5_util.c | 24 +-- + src/kadmin/dbutil/ovload.c | 14 +- + src/kadmin/dbutil/strtok.c | 4 +- + src/kadmin/ktutil/ktutil.c | 45 ++--- + src/kadmin/ktutil/ktutil_funcs.c | 37 ++-- + src/kadmin/server/ipropd_svc.c | 24 +-- + src/kadmin/server/kadm_rpc_svc.c | 162 +++++++++--------- + src/kadmin/server/ovsec_kadmd.c | 4 +- + src/kdc/t_ndr.c | 2 +- + src/kdc/t_replay.c | 6 +- + src/kprop/kpropd.c | 2 +- + src/kprop/kproplog.c | 4 +- + src/lib/apputils/net-server.c | 7 +- + src/lib/crypto/builtin/aes/aes-gen.c | 18 +- + .../crypto/builtin/camellia/camellia-gen.c | 18 +- + src/lib/crypto/builtin/sha1/t_shs.c | 7 +- + src/lib/crypto/builtin/sha1/t_shs3.c | 7 +- + src/lib/crypto/crypto_tests/aes-test.c | 8 +- + src/lib/crypto/crypto_tests/camellia-test.c | 8 +- + src/lib/crypto/crypto_tests/t_cf2.c | 4 +- + src/lib/crypto/crypto_tests/t_cts.c | 2 +- + src/lib/crypto/crypto_tests/t_encrypt.c | 2 +- + src/lib/crypto/crypto_tests/t_fork.c | 2 +- + src/lib/crypto/crypto_tests/t_hmac.c | 3 +- + src/lib/crypto/crypto_tests/t_mddriver.c | 25 ++- + src/lib/crypto/crypto_tests/t_nfold.c | 16 +- + src/lib/crypto/crypto_tests/t_prf.c | 2 +- + src/lib/crypto/crypto_tests/t_sha2.c | 2 +- + src/lib/gssapi/generic/t_seqstate.c | 2 +- + src/lib/gssapi/krb5/accept_sec_context.c | 76 +++----- + src/lib/gssapi/krb5/compare_name.c | 7 +- + src/lib/gssapi/krb5/context_time.c | 6 +- + src/lib/gssapi/krb5/delete_sec_context.c | 7 +- + src/lib/gssapi/krb5/disp_name.c | 9 +- + src/lib/gssapi/krb5/disp_status.c | 11 +- + src/lib/gssapi/krb5/export_sec_context.c | 7 +- + src/lib/gssapi/krb5/gssapi_krb5.c | 4 +- + src/lib/gssapi/krb5/import_name.c | 8 +- + src/lib/gssapi/krb5/import_sec_context.c | 10 +- + src/lib/gssapi/krb5/indicate_mechs.c | 4 +- + src/lib/gssapi/krb5/init_sec_context.c | 55 ++---- + src/lib/gssapi/krb5/inq_context.c | 17 +- + src/lib/gssapi/krb5/inq_cred.c | 26 +-- + src/lib/gssapi/krb5/inq_names.c | 6 +- + src/lib/gssapi/krb5/k5seal.c | 38 ++-- + src/lib/gssapi/krb5/k5unseal.c | 51 ++---- + src/lib/gssapi/krb5/process_context_token.c | 8 +- + src/lib/gssapi/krb5/rel_cred.c | 4 +- + src/lib/gssapi/krb5/rel_name.c | 4 +- + src/lib/gssapi/krb5/rel_oid.c | 8 +- + src/lib/gssapi/krb5/ser_sctx.c | 16 +- + src/lib/gssapi/krb5/util_cksum.c | 6 +- + src/lib/gssapi/krb5/util_seed.c | 5 +- + src/lib/gssapi/krb5/util_seqnum.c | 19 +- + src/lib/gssapi/krb5/val_cred.c | 4 +- + src/lib/gssapi/krb5/wrap_size_limit.c | 11 +- + .../gssapi/mechglue/g_accept_sec_context.c | 31 +--- + src/lib/gssapi/mechglue/g_acquire_cred.c | 95 +++------- + .../gssapi/mechglue/g_acquire_cred_with_pw.c | 56 ++---- + src/lib/gssapi/mechglue/g_canon_name.c | 10 +- + src/lib/gssapi/mechglue/g_compare_name.c | 12 +- + src/lib/gssapi/mechglue/g_context_time.c | 10 +- + .../gssapi/mechglue/g_delete_sec_context.c | 10 +- + src/lib/gssapi/mechglue/g_dsp_name.c | 12 +- + src/lib/gssapi/mechglue/g_dsp_status.c | 22 +-- + src/lib/gssapi/mechglue/g_dup_name.c | 8 +- + src/lib/gssapi/mechglue/g_exp_sec_context.c | 10 +- + src/lib/gssapi/mechglue/g_export_name.c | 8 +- + src/lib/gssapi/mechglue/g_glue.c | 75 +++----- + src/lib/gssapi/mechglue/g_imp_name.c | 18 +- + src/lib/gssapi/mechglue/g_imp_sec_context.c | 11 +- + src/lib/gssapi/mechglue/g_init_sec_context.c | 37 +--- + src/lib/gssapi/mechglue/g_initialize.c | 22 +-- + src/lib/gssapi/mechglue/g_inq_cred.c | 31 +--- + src/lib/gssapi/mechglue/g_inq_names.c | 8 +- + src/lib/gssapi/mechglue/g_mechname.c | 14 +- + src/lib/gssapi/mechglue/g_oid_ops.c | 27 +-- + src/lib/gssapi/mechglue/g_process_context.c | 10 +- + src/lib/gssapi/mechglue/g_rel_buffer.c | 6 +- + src/lib/gssapi/mechglue/g_rel_cred.c | 7 +- + src/lib/gssapi/mechglue/g_rel_name.c | 7 +- + src/lib/gssapi/mechglue/g_rel_oid_set.c | 6 +- + src/lib/gssapi/mechglue/g_sign.c | 29 +--- + src/lib/gssapi/mechglue/g_store_cred.c | 48 ++---- + src/lib/gssapi/mechglue/g_unseal.c | 35 +--- + src/lib/gssapi/mechglue/g_unwrap_aead.c | 19 +- + src/lib/gssapi/mechglue/g_unwrap_iov.c | 15 +- + src/lib/gssapi/mechglue/g_verify.c | 30 +--- + src/lib/gssapi/mechglue/g_wrap_aead.c | 39 ++--- + src/lib/gssapi/mechglue/g_wrap_iov.c | 43 +---- + src/lib/kadm5/clnt/client_rpc.c | 1 + + src/lib/kadm5/kadm_rpc.h | 45 ----- + src/lib/kadm5/kadm_rpc_xdr.c | 37 ++-- + src/lib/kadm5/misc_free.c | 5 +- + src/lib/kadm5/srv/adb_xdr.c | 6 +- + src/lib/kadm5/srv/svr_principal.c | 12 +- + src/lib/kadm5/str_conv.c | 18 +- + src/lib/kadm5/t_kadm5.c | 22 +-- + src/lib/kdb/kdb5.c | 8 +- + src/lib/kdb/kdb_cpw.c | 32 +--- + src/lib/kdb/keytab.c | 19 +- + src/lib/kdb/t_stringattr.c | 2 +- + src/lib/krad/packet.c | 2 +- + src/lib/krad/t_attr.c | 2 +- + src/lib/krad/t_attrset.c | 2 +- + src/lib/krad/t_code.c | 2 +- + src/lib/krb5/ccache/cc_keyring.c | 2 +- + src/lib/krb5/krb/plugin.c | 2 +- + src/lib/krb5/krb/t_authdata.c | 2 +- + src/lib/krb5/krb/t_response_items.c | 2 +- + src/lib/krb5/krb/t_ser.c | 8 +- + src/lib/krb5/krb/t_sname_match.c | 2 +- + src/lib/krb5/krb/t_valid_times.c | 2 +- + src/lib/krb5/rcache/t_memrcache.c | 2 +- + src/lib/rpc/auth_gss.c | 4 +- + src/lib/rpc/auth_gssapi.c | 14 +- + src/lib/rpc/auth_gssapi_misc.c | 4 +- + src/lib/rpc/authunix_prot.c | 3 +- + src/lib/rpc/clnt_perror.c | 1 - + src/lib/rpc/clnt_raw.c | 2 +- + src/lib/rpc/dyn.c | 85 ++++----- + src/lib/rpc/pmap_clnt.c | 9 +- + src/lib/rpc/pmap_getmaps.c | 5 +- + src/lib/rpc/pmap_getport.c | 6 +- + src/lib/rpc/pmap_prot2.c | 3 +- + src/lib/rpc/pmap_rmt.c | 10 +- + src/lib/rpc/rpc_prot.c | 4 +- + src/lib/rpc/svc.c | 4 +- + src/lib/rpc/svc_auth_gss.c | 10 +- + src/lib/rpc/svc_auth_gssapi.c | 28 +-- + src/lib/rpc/svc_simple.c | 4 +- + src/lib/rpc/unit-test/client.c | 18 +- + src/lib/rpc/unit-test/rpc_test_clnt.c | 4 +- + src/lib/rpc/unit-test/rpc_test_svc.c | 16 +- + src/lib/rpc/unit-test/server.c | 2 +- + src/lib/rpc/xdr.c | 4 +- + src/lib/rpc/xdr_array.c | 4 +- + src/lib/rpc/xdr_rec.c | 13 +- + src/lib/rpc/xdr_reference.c | 4 +- + src/lib/rpc/xdr_sizeof.c | 29 +--- + src/plugins/kdb/db2/db2_exp.c | 4 +- + src/plugins/kdb/db2/libdb2/btree/bt_close.c | 10 +- + src/plugins/kdb/db2/libdb2/btree/bt_conv.c | 13 +- + src/plugins/kdb/db2/libdb2/btree/bt_delete.c | 34 +--- + src/plugins/kdb/db2/libdb2/btree/bt_get.c | 6 +- + src/plugins/kdb/db2/libdb2/btree/bt_open.c | 12 +- + .../kdb/db2/libdb2/btree/bt_overflow.c | 16 +- + src/plugins/kdb/db2/libdb2/btree/bt_page.c | 8 +- + src/plugins/kdb/db2/libdb2/btree/bt_put.c | 11 +- + src/plugins/kdb/db2/libdb2/btree/bt_search.c | 17 +- + src/plugins/kdb/db2/libdb2/btree/bt_seq.c | 27 +-- + src/plugins/kdb/db2/libdb2/btree/bt_split.c | 42 +---- + src/plugins/kdb/db2/libdb2/btree/bt_utils.c | 18 +- + src/plugins/kdb/db2/libdb2/db/db.c | 26 ++- + src/plugins/kdb/db2/libdb2/hash/dbm.c | 50 ++---- + src/plugins/kdb/db2/libdb2/hash/hash.c | 94 +++------- + src/plugins/kdb/db2/libdb2/hash/hash_bigkey.c | 35 +--- + src/plugins/kdb/db2/libdb2/hash/hash_func.c | 16 +- + src/plugins/kdb/db2/libdb2/hash/hash_log2.c | 3 +- + src/plugins/kdb/db2/libdb2/hash/hash_page.c | 121 ++++--------- + src/plugins/kdb/db2/libdb2/hash/hsearch.c | 9 +- + src/plugins/kdb/db2/libdb2/mpool/mpool.c | 54 ++---- + src/plugins/kdb/db2/libdb2/recno/rec_close.c | 7 +- + src/plugins/kdb/db2/libdb2/recno/rec_delete.c | 14 +- + src/plugins/kdb/db2/libdb2/recno/rec_get.c | 22 +-- + src/plugins/kdb/db2/libdb2/recno/rec_open.c | 9 +- + src/plugins/kdb/db2/libdb2/recno/rec_put.c | 12 +- + src/plugins/kdb/db2/libdb2/recno/rec_search.c | 5 +- + src/plugins/kdb/db2/libdb2/recno/rec_seq.c | 5 +- + src/plugins/kdb/db2/libdb2/recno/rec_utils.c | 6 +- + src/plugins/kdb/db2/libdb2/test/dbtest.c | 59 ++----- + src/plugins/kdb/db2/pol_xdr.c | 2 +- + .../kdb/ldap/ldap_util/kdb5_ldap_util.c | 4 +- + src/plugins/kdb/lmdb/kdb_lmdb.c | 4 +- + src/plugins/kdb/test/kdb_test.c | 4 +- + .../preauth/pkinit/pkinit_crypto_openssl.c | 4 +- + src/plugins/preauth/spake/t_vectors.c | 2 +- + src/tests/asn.1/krb5_decode_test.c | 5 +- + src/tests/asn.1/krb5_encode_test.c | 13 +- + src/tests/asn.1/t_trval.c | 14 +- + src/tests/asn.1/trval.c | 73 +++----- + src/tests/conccache.c | 4 +- + src/tests/create/kdb5_mkdums.c | 16 +- + src/tests/forward.c | 2 +- + src/tests/gss-threads/gss-client.c | 4 +- + src/tests/gss-threads/gss-server.c | 2 +- + src/tests/gssapi/reload.c | 2 +- + src/tests/gssapi/t_add_cred.c | 2 +- + src/tests/gssapi/t_enctypes.c | 2 +- + src/tests/gssapi/t_invalid.c | 2 +- + src/tests/gssapi/t_oid.c | 2 +- + src/tests/gssapi/t_spnego.c | 2 +- + src/tests/hammer/kdc5_hammer.c | 36 ++-- + src/tests/kdbtest.c | 2 +- + src/tests/misc/test_getpw.c | 2 +- + src/tests/plugorder.c | 2 +- + src/tests/shlib/t_loader.c | 2 +- + src/tests/softpkcs11/main.c | 2 +- + src/tests/t_inetd.c | 7 +- + src/tests/test1.c | 4 +- + src/tests/verify/kdb5_verify.c | 17 +- + src/util/et/error_message.c | 2 +- + src/util/et/test_et.c | 3 +- + src/util/profile/prof_init.c | 2 +- + src/util/profile/t_profile.c | 22 +-- + src/util/profile/test_load.c | 2 +- + src/util/profile/test_parse.c | 5 +- + src/util/profile/test_profile.c | 10 +- + src/util/profile/test_vtable.c | 3 +- + src/util/ss/error.c | 13 +- + src/util/ss/execute_cmd.c | 23 +-- + src/util/ss/help.c | 115 ++++++------- + src/util/ss/invocation.c | 13 +- + src/util/ss/list_rqs.c | 11 +- + src/util/ss/listen.c | 32 ++-- + src/util/ss/pager.c | 10 +- + src/util/ss/parse.c | 6 +- + src/util/ss/prompt.c | 7 +- + src/util/ss/request_tbl.c | 11 +- + src/util/ss/requests.c | 2 +- + src/util/ss/ss.h | 1 - + src/util/ss/ss_internal.h | 3 +- + src/util/support/plugins.c | 10 +- + src/util/support/t_hashtab.c | 6 +- + src/util/support/t_hex.c | 3 +- + src/util/support/t_json.c | 2 +- + src/util/support/t_k5buf.c | 16 +- + src/util/support/t_unal.c | 3 +- + 253 files changed, 1379 insertions(+), 2717 deletions(-) + +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 3331970930..040d5bdd0c 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -546,7 +546,7 @@ if test "$GCC" = yes ; then + TRY_WARN_CC_FLAG(-Wno-format-zero-length) + # Other flags here may not be supported on some versions of + # gcc that people want to use. +- for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized no-maybe-uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers error=implicit-int ; do ++ for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized no-maybe-uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers error=implicit-int error=strict-prototypes; do + TRY_WARN_CC_FLAG(-W$flag) + done + # old-style-definition? generates many, many warnings +diff --git a/src/appl/gss-sample/gss-client.c b/src/appl/gss-sample/gss-client.c +index 6e2aa33690..0722ae196f 100644 +--- a/src/appl/gss-sample/gss-client.c ++++ b/src/appl/gss-sample/gss-client.c +@@ -75,7 +75,7 @@ static gss_OID_desc gss_spnego_mechanism_oid_desc = + {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; + + static void +-usage() ++usage(void) + { + fprintf(stderr, "Usage: gss-client [-port port] [-mech mechanism] " + "[-spnego] [-d]\n"); +@@ -359,9 +359,7 @@ client_establish_context(int s, char *service_name, OM_uint32 gss_flags, + } + + static void +-read_file(file_name, in_buf) +- char *file_name; +- gss_buffer_t in_buf; ++read_file(char *file_name, gss_buffer_t in_buf) + { + int fd, count; + struct stat stat_buf; +@@ -431,21 +429,10 @@ read_file(file_name, in_buf) + * verifies it with gss_verify. -1 is returned if any step fails, + * otherwise 0 is returned. */ + static int +-call_server(host, port, oid, service_name, gss_flags, auth_flag, +- wrap_flag, encrypt_flag, mic_flag, v1_format, msg, use_file, +- mcount, username, password) +- char *host; +- u_short port; +- gss_OID oid; +- char *service_name; +- OM_uint32 gss_flags; +- int auth_flag, wrap_flag, encrypt_flag, mic_flag; +- int v1_format; +- char *msg; +- int use_file; +- int mcount; +- char *username; +- char *password; ++call_server(char *host, u_short port, gss_OID oid, char *service_name, ++ OM_uint32 gss_flags, int auth_flag, int wrap_flag, ++ int encrypt_flag, int mic_flag, int v1_format, char *msg, ++ int use_file, int mcount, char *username, char *password) + { + gss_ctx_id_t context = GSS_C_NO_CONTEXT; + gss_buffer_desc in_buf, out_buf; +@@ -774,9 +761,7 @@ worker_bee(void *unused) + } + + int +-main(argc, argv) +- int argc; +- char **argv; ++main(int argc, char **argv) + { + int i; + +diff --git a/src/appl/gss-sample/gss-misc.c b/src/appl/gss-sample/gss-misc.c +index 1d051edf1e..7eb4c7971d 100644 +--- a/src/appl/gss-sample/gss-misc.c ++++ b/src/appl/gss-sample/gss-misc.c +@@ -157,10 +157,7 @@ read_all(int fildes, void *data, unsigned int nbyte) + * if an error occurs or if it could not write all the data. + */ + int +-send_token(s, flags, tok) +- int s; +- int flags; +- gss_buffer_t tok; ++send_token(int s, int flags, gss_buffer_t tok) + { + int ret; + unsigned char char_flags = (unsigned char) flags; +@@ -230,10 +227,7 @@ send_token(s, flags, tok) + * and -1 if an error occurs or if it could not read all the data. + */ + int +-recv_token(s, flags, tok) +- int s; +- int *flags; +- gss_buffer_t tok; ++recv_token(int s, int *flags, gss_buffer_t tok) + { + int ret; + unsigned char char_flags; +@@ -303,10 +297,7 @@ recv_token(s, flags, tok) + } + + static void +-display_status_1(m, code, type) +- char *m; +- OM_uint32 code; +- int type; ++display_status_1(char *m, OM_uint32 code, int type) + { + OM_uint32 min_stat; + gss_buffer_desc msg; +@@ -344,10 +335,7 @@ display_status_1(m, code, type) + * followed by a newline. + */ + void +-display_status(msg, maj_stat, min_stat) +- char *msg; +- OM_uint32 maj_stat; +- OM_uint32 min_stat; ++display_status(char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) + { + display_status_1(msg, maj_stat, GSS_C_GSS_CODE); + display_status_1(msg, min_stat, GSS_C_MECH_CODE); +@@ -370,8 +358,7 @@ display_status(msg, maj_stat, min_stat) + */ + + void +-display_ctx_flags(flags) +- OM_uint32 flags; ++display_ctx_flags(OM_uint32 flags) + { + if (flags & GSS_C_DELEG_FLAG) + fprintf(display_file, "context flag: GSS_C_DELEG_FLAG\n"); +@@ -388,8 +375,7 @@ display_ctx_flags(flags) + } + + void +-print_token(tok) +- gss_buffer_t tok; ++print_token(gss_buffer_t tok) + { + unsigned int i; + unsigned char *p = tok->value; +diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c +index 9b6ce9ffb3..0e9c857e56 100644 +--- a/src/appl/gss-sample/gss-server.c ++++ b/src/appl/gss-sample/gss-server.c +@@ -73,7 +73,7 @@ static OM_uint32 + showLocalIdentity(OM_uint32 *minor, gss_name_t name); + + static void +-usage() ++usage(void) + { + fprintf(stderr, "Usage: gss-server [-port port] [-verbose] [-once]"); + #ifdef _WIN32 +diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c +index f2b5b614e3..afb3d2bcba 100644 +--- a/src/appl/user_user/server.c ++++ b/src/appl/user_user/server.c +@@ -39,9 +39,8 @@ + + /* fd 0 is a tcp socket used to talk to the client */ + +-int main(argc, argv) +- int argc; +- char *argv[]; ++int ++main(int argc, char *argv[]) + { + krb5_data pname_data, tkt_data; + int sock = 0; +diff --git a/src/clients/kdestroy/kdestroy.c b/src/clients/kdestroy/kdestroy.c +index 774b729fdb..48f672a1e8 100644 +--- a/src/clients/kdestroy/kdestroy.c ++++ b/src/clients/kdestroy/kdestroy.c +@@ -47,7 +47,7 @@ char *progname; + + + static void +-usage() ++usage(void) + { + fprintf(stderr, _("Usage: %s [-A] [-q] [-c cache_name] [-p princ_name]\n"), + progname); +diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c +index f4c7b2b842..7a33ffae59 100644 +--- a/src/clients/kinit/kinit.c ++++ b/src/clients/kinit/kinit.c +@@ -45,7 +45,7 @@ + #ifdef HAVE_PWD_H + #include + static char * +-get_name_from_os() ++get_name_from_os(void) + { + struct passwd *pw; + +@@ -137,7 +137,7 @@ const char *shopts = "r:fpFPn54aAVl:s:c:kit:T:RS:vX:CEI:"; + #define USAGE_BREAK "\n\t" + + static void +-usage() ++usage(void) + { + fprintf(stderr, + _("Usage: %s [-V] [-l lifetime] [-s start_time] " +diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c +index dcdc5a2d59..c797b1698f 100644 +--- a/src/clients/klist/klist.c ++++ b/src/clients/klist/klist.c +@@ -80,7 +80,7 @@ static void fillit(FILE *, unsigned int, int); + #define KEYTAB 2 + + static void +-usage() ++usage(void) + { + fprintf(stderr, _("Usage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] " + "[-a [-n]]] [-k [-i] [-t] [-K]] [-C] [name]\n"), +diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c +index fb9d5d0942..17a8a8f2f0 100644 +--- a/src/clients/ksu/authorization.c ++++ b/src/clients/ksu/authorization.c +@@ -30,9 +30,8 @@ + + static void auth_cleanup (FILE *, FILE *, char *); + +-krb5_boolean fowner(fp, uid) +- FILE *fp; +- uid_t uid; ++krb5_boolean ++fowner(FILE *fp, uid_t uid) + { + struct stat sbuf; + +@@ -59,16 +58,10 @@ krb5_boolean fowner(fp, uid) + * + */ + +-krb5_error_code krb5_authorization(context, principal, luser, +- cmd, ok, out_fcmd) +-/* IN */ +- krb5_context context; +- krb5_principal principal; +- const char *luser; +- char *cmd; +- /* OUT */ +- krb5_boolean *ok; +- char **out_fcmd; ++krb5_error_code ++krb5_authorization(krb5_context context, krb5_principal principal, ++ const char *luser, char *cmd, krb5_boolean *ok, ++ char **out_fcmd) + { + struct passwd *pwd; + char *princname; +@@ -178,10 +171,8 @@ any tokens after the principal name FALSE is returned. + + ***********************************************************/ + +-krb5_error_code k5login_lookup (fp, princname, found) +- FILE *fp; +- char *princname; +- krb5_boolean *found; ++krb5_error_code ++k5login_lookup(FILE *fp, char *princname, krb5_boolean *found) + { + + krb5_error_code retval; +@@ -240,12 +231,9 @@ if princname is found{ + + + ***********************************************************/ +-krb5_error_code k5users_lookup (fp, princname, cmd, found, out_fcmd) +- FILE *fp; +- char *princname; +- char *cmd; +- krb5_boolean *found; +- char **out_fcmd; ++krb5_error_code ++k5users_lookup(FILE *fp, char *princname, char *cmd, ++ krb5_boolean *found, char **out_fcmd) + { + krb5_error_code retval; + char * line; +@@ -328,10 +316,8 @@ resolves it into a full path name. + + ************************************************/ + +-krb5_boolean fcmd_resolve(fcmd, out_fcmd, out_err) +- char *fcmd; +- char ***out_fcmd; +- char **out_err; ++krb5_boolean ++fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err) + { + char * err; + char ** tmp_fcmd; +@@ -407,8 +393,8 @@ cmd_single - checks if cmd consists of a path + + ********************************************/ + +-krb5_boolean cmd_single(cmd) +- char * cmd; ++krb5_boolean ++cmd_single(char *cmd) + { + + if ( ( strrchr( cmd, '/')) == NULL){ +@@ -423,9 +409,8 @@ cmd_arr_cmp_postfix - compares a command with the postfix + of fcmd + ********************************************/ + +-int cmd_arr_cmp_postfix(fcmd_arr, cmd) +- char **fcmd_arr; +- char *cmd; ++int ++cmd_arr_cmp_postfix(char **fcmd_arr, char *cmd) + { + char * temp_fcmd; + char *ptr; +@@ -457,9 +442,8 @@ cmd_arr_cmp - checks if cmd matches any + + **********************************************/ + +-int cmd_arr_cmp (fcmd_arr, cmd) +- char **fcmd_arr; +- char *cmd; ++int ++cmd_arr_cmp(char **fcmd_arr, char *cmd) + { + int result =1; + int i = 0; +@@ -475,10 +459,8 @@ int cmd_arr_cmp (fcmd_arr, cmd) + } + + +-krb5_boolean find_first_cmd_that_exists(fcmd_arr, cmd_out, err_out) +- char **fcmd_arr; +- char **cmd_out; +- char **err_out; ++krb5_boolean ++find_first_cmd_that_exists(char **fcmd_arr, char **cmd_out, char **err_out) + { + struct stat st_temp; + int i = 0; +@@ -517,12 +499,9 @@ returns 1 if there is an error, 0 if no error. + + ***************************************************************/ + +-int match_commands (fcmd, cmd, match, cmd_out, err_out) +- char *fcmd; +- char *cmd; +- krb5_boolean *match; +- char **cmd_out; +- char **err_out; ++int ++match_commands(char *fcmd, char *cmd, krb5_boolean *match, ++ char **cmd_out, char **err_out) + { + char ** fcmd_arr; + char * err; +@@ -566,11 +545,8 @@ int match_commands (fcmd, cmd, match, cmd_out, err_out) + is set to null if eof. + *********************************************************/ + +-krb5_error_code get_line (fp, out_line) +-/* IN */ +- FILE *fp; +- /* OUT */ +- char **out_line; ++krb5_error_code ++get_line(FILE *fp, char **out_line) + { + char * line, *r, *newline , *line_ptr; + int chunk_count = 1; +@@ -615,9 +591,8 @@ will be returned as part of the first token. + Note: this routine reuses the space pointed to by line + ******************************************************/ + +-char * get_first_token (line, lnext) +- char *line; +- char **lnext; ++char * ++get_first_token(char *line, char **lnext) + { + + char * lptr, * out_ptr; +@@ -651,8 +626,8 @@ Note: that this function modifies the stream + lnext to the next tocken. + **********************************************************/ + +-char * get_next_token (lnext) +- char **lnext; ++char * ++get_next_token (char **lnext) + { + char * lptr, * out_ptr; + +@@ -677,10 +652,8 @@ char * get_next_token (lnext) + return out_ptr; + } + +-static void auth_cleanup(users_fp, login_fp, princname) +- FILE *users_fp; +- FILE *login_fp; +- char *princname; ++static void ++auth_cleanup(FILE *users_fp, FILE *login_fp, char *princname) + { + + free (princname); +@@ -690,8 +663,8 @@ static void auth_cleanup(users_fp, login_fp, princname) + fclose(login_fp); + } + +-void init_auth_names(pw_dir) +- char *pw_dir; ++void ++init_auth_names(char *pw_dir) + { + const char *sep; + int r1, r2; +diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c +index cbb9aa2b85..cca9ce2dfc 100644 +--- a/src/clients/ksu/ccache.c ++++ b/src/clients/ksu/ccache.c +@@ -40,24 +40,18 @@ copies the default cache into the secondary cache, + + ************************************************************************/ + +-void show_credential(); ++void show_credential(krb5_context, krb5_creds *, krb5_ccache); + + /* modifies only the cc_other, the algorithm may look a bit funny, + but I had to do it this way, since remove function did not come + with k5 beta 3 release. + */ + +-krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target, +- restrict_creds, primary_principal, stored) +-/* IN */ +- krb5_context context; +- krb5_ccache cc_def; +- krb5_principal target_principal; +- krb5_ccache cc_target; +- krb5_boolean restrict_creds; +- krb5_principal primary_principal; +- /* OUT */ +- krb5_boolean *stored; ++krb5_error_code ++krb5_ccache_copy(krb5_context context, krb5_ccache cc_def, ++ krb5_principal target_principal, krb5_ccache cc_target, ++ krb5_boolean restrict_creds, krb5_principal primary_principal, ++ krb5_boolean *stored) + { + int i=0; + krb5_error_code retval=0; +@@ -105,11 +99,9 @@ krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target, + } + + +-krb5_error_code krb5_store_all_creds(context, cc, creds_def, creds_other) +- krb5_context context; +- krb5_ccache cc; +- krb5_creds **creds_def; +- krb5_creds **creds_other; ++krb5_error_code ++krb5_store_all_creds(krb5_context context, krb5_ccache cc, ++ krb5_creds **creds_def, krb5_creds **creds_other) + { + + int i = 0; +@@ -173,10 +165,8 @@ krb5_error_code krb5_store_all_creds(context, cc, creds_def, creds_other) + return 0; + } + +-krb5_boolean compare_creds(context, cred1, cred2) +- krb5_context context; +- krb5_creds *cred1; +- krb5_creds *cred2; ++krb5_boolean ++compare_creds(krb5_context context, krb5_creds *cred1, krb5_creds *cred2) + { + krb5_boolean retval; + +@@ -188,13 +178,9 @@ krb5_boolean compare_creds(context, cred1, cred2) + return retval; + } + +- +- +- +-krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array) +- krb5_context context; +- krb5_ccache cc; +- krb5_creds ***creds_array; ++krb5_error_code ++krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc, ++ krb5_creds ***creds_array) + { + + krb5_creds creds, temp_tktq, temp_tkt; +@@ -262,10 +248,8 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array) + + } + +- +-krb5_error_code krb5_check_exp(context, tkt_time) +- krb5_context context; +- krb5_ticket_times tkt_time; ++krb5_error_code ++krb5_check_exp(krb5_context context, krb5_ticket_times tkt_time) + { + krb5_error_code retval =0; + krb5_timestamp currenttime; +@@ -290,9 +274,8 @@ krb5_error_code krb5_check_exp(context, tkt_time) + return 0; + } + +- +-char *flags_string(cred) +- krb5_creds *cred; ++char * ++flags_string(krb5_creds *cred) + { + static char buf[32]; + int i = 0; +@@ -323,7 +306,8 @@ char *flags_string(cred) + return(buf); + } + +-void printtime(krb5_timestamp ts) ++void ++printtime(krb5_timestamp ts) + { + char fmtbuf[18], fill = ' '; + +@@ -333,9 +317,7 @@ void printtime(krb5_timestamp ts) + + + krb5_error_code +-krb5_get_login_princ(luser, princ_list) +- const char *luser; +- char ***princ_list; ++krb5_get_login_princ(const char *luser, char ***princ_list) + { + struct stat sbuf; + struct passwd *pwd; +@@ -420,13 +402,8 @@ krb5_get_login_princ(luser, princ_list) + return 0; + } + +- +- + void +-show_credential(context, cred, cc) +- krb5_context context; +- krb5_creds *cred; +- krb5_ccache cc; ++show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc) + { + krb5_error_code retval; + char *name, *sname, *flags; +@@ -519,11 +496,9 @@ gen_sym(krb5_context context, char **sym_out) + return 0; + } + +-krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) +- krb5_context context; +- krb5_ccache ccs; +- krb5_ccache cct; +- krb5_principal primary_principal; ++krb5_error_code ++krb5_ccache_overwrite(krb5_context context, krb5_ccache ccs, krb5_ccache cct, ++ krb5_principal primary_principal) + { + krb5_error_code retval=0; + krb5_principal temp_principal; +@@ -560,14 +535,10 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) + return retval; + } + +-krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst, +- stored) +- krb5_context context; +- krb5_ccache cc; +- krb5_creds **creds_def; +- krb5_creds **creds_other; +- krb5_principal prst; +- krb5_boolean *stored; ++krb5_error_code ++krb5_store_some_creds(krb5_context context, krb5_ccache cc, ++ krb5_creds **creds_def, krb5_creds **creds_other, ++ krb5_principal prst, krb5_boolean *stored) + { + + int i = 0; +@@ -610,10 +581,8 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst, + return 0; + } + +-krb5_error_code krb5_ccache_filter (context, cc, prst) +- krb5_context context; +- krb5_ccache cc; +- krb5_principal prst; ++krb5_error_code ++krb5_ccache_filter(krb5_context context, krb5_ccache cc, krb5_principal prst) + { + + int i=0; +@@ -657,10 +626,9 @@ krb5_error_code krb5_ccache_filter (context, cc, prst) + return 0; + } + +-krb5_boolean krb5_find_princ_in_cred_list (context, creds_list, princ) +- krb5_context context; +- krb5_creds **creds_list; +- krb5_principal princ; ++krb5_boolean ++krb5_find_princ_in_cred_list(krb5_context context, krb5_creds **creds_list, ++ krb5_principal princ) + { + + int i = 0; +@@ -682,11 +650,9 @@ krb5_boolean krb5_find_princ_in_cred_list (context, creds_list, princ) + return temp_stored; + } + +-krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) +- krb5_context context; +- krb5_ccache cc; +- krb5_principal princ; +- krb5_boolean *found; ++krb5_error_code ++krb5_find_princ_in_cache(krb5_context context, krb5_ccache cc, ++ krb5_principal princ, krb5_boolean *found) + { + krb5_error_code retval; + krb5_creds ** creds_list = NULL; +diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c +index 4f7280f4cb..e906de8ef0 100644 +--- a/src/clients/ksu/heuristic.c ++++ b/src/clients/ksu/heuristic.c +@@ -41,9 +41,8 @@ get_all_princ_from_file - retrieves all principal names + static void close_time (int, FILE *, int, FILE *); + static krb5_boolean find_str_in_list (char **, char *); + +-krb5_error_code get_all_princ_from_file (fp, plist) +- FILE *fp; +- char ***plist; ++krb5_error_code ++get_all_princ_from_file(FILE *fp, char ***plist) + { + + krb5_error_code retval; +@@ -92,10 +91,8 @@ list_union - combines list1 and list2 into combined_list. + or used by combined_list. + **************************************************************/ + +-krb5_error_code list_union(list1, list2, combined_list) +- char **list1; +- char **list2; +- char ***combined_list; ++krb5_error_code ++list_union(char **list1, char **list2, char ***combined_list) + { + + unsigned int c1 =0, c2 = 0, i=0, j=0; +@@ -141,11 +138,7 @@ krb5_error_code list_union(list1, list2, combined_list) + } + + krb5_error_code +-filter(fp, cmd, k5users_list, k5users_filt_list) +- FILE *fp; +- char *cmd; +- char **k5users_list; +- char ***k5users_filt_list; ++filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list) + { + + krb5_error_code retval =0; +@@ -195,10 +188,7 @@ filter(fp, cmd, k5users_list, k5users_filt_list) + } + + krb5_error_code +-get_authorized_princ_names(luser, cmd, princ_list) +- const char *luser; +- char *cmd; +- char ***princ_list; ++get_authorized_princ_names(const char *luser, char *cmd, char ***princ_list) + { + + struct passwd *pwd; +@@ -272,11 +262,8 @@ get_authorized_princ_names(luser, cmd, princ_list) + return 0; + } + +-static void close_time(k5users_flag, users_fp, k5login_flag, login_fp) +- int k5users_flag; +- FILE *users_fp; +- int k5login_flag; +- FILE *login_fp; ++static void ++close_time(int k5users_flag, FILE *users_fp, int k5login_flag, FILE *login_fp) + { + + if (!k5users_flag) fclose(users_fp); +@@ -284,9 +271,8 @@ static void close_time(k5users_flag, users_fp, k5login_flag, login_fp) + + } + +-static krb5_boolean find_str_in_list(list , elm) +- char **list; +- char *elm; ++static krb5_boolean ++find_str_in_list(char **list, char *elm) + { + + int i=0; +@@ -313,12 +299,9 @@ A principal is picked that has the best chance of getting in. + + **********************************************************************/ + +- +-krb5_error_code get_closest_principal(context, plist, client, found) +- krb5_context context; +- char **plist; +- krb5_principal *client; +- krb5_boolean *found; ++krb5_error_code ++get_closest_principal(krb5_context context, char **plist, ++ krb5_principal *client, krb5_boolean *found) + { + krb5_error_code retval =0; + krb5_principal temp_client, best_client = NULL; +@@ -385,12 +368,9 @@ find_either_ticket checks to see whether there is a ticket for the + end server or tgt, if neither is there the return FALSE, + *****************************************************************/ + +-krb5_error_code find_either_ticket (context, cc, client, end_server, found) +- krb5_context context; +- krb5_ccache cc; +- krb5_principal client; +- krb5_principal end_server; +- krb5_boolean *found; ++krb5_error_code ++find_either_ticket(krb5_context context, krb5_ccache cc, krb5_principal client, ++ krb5_principal end_server, krb5_boolean *found) + { + + krb5_principal kdc_server; +@@ -424,13 +404,9 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found) + return 0; + } + +- +-krb5_error_code find_ticket (context, cc, client, server, found) +- krb5_context context; +- krb5_ccache cc; +- krb5_principal client; +- krb5_principal server; +- krb5_boolean *found; ++krb5_error_code ++find_ticket(krb5_context context, krb5_ccache cc, krb5_principal client, ++ krb5_principal server, krb5_boolean *found) + { + + krb5_creds tgt, tgtq; +@@ -470,13 +446,9 @@ krb5_error_code find_ticket (context, cc, client, server, found) + return 0; + } + +- +- +-krb5_error_code find_princ_in_list (context, princ, plist, found) +- krb5_context context; +- krb5_principal princ; +- char **plist; +- krb5_boolean *found; ++krb5_error_code ++find_princ_in_list(krb5_context context, krb5_principal princ, char **plist, ++ krb5_boolean *found) + { + + int i=0; +@@ -516,21 +488,13 @@ path_out gets set to ... + + ***********************************************************************/ + +-krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, +- source_user, target_user, +- cc_source, options, cmd, +- hostname, client, path_out) +- krb5_context context; +- uid_t source_uid; +- uid_t target_uid; +- char *source_user; +- char *target_user; +- krb5_ccache cc_source; +- krb5_get_init_creds_opt *options; +- char *cmd; +- char *hostname; +- krb5_principal *client; +- int *path_out; ++krb5_error_code ++get_best_princ_for_target(krb5_context context, uid_t source_uid, ++ uid_t target_uid, char *source_user, ++ char *target_user, krb5_ccache cc_source, ++ krb5_get_init_creds_opt *options, char *cmd, ++ char *hostname, krb5_principal *client, ++ int *path_out) + { + + princ_info princ_trials[10]; +diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c +index fb848dcab1..db10251f95 100644 +--- a/src/clients/ksu/krb_auth_su.c ++++ b/src/clients/ksu/krb_auth_su.c +@@ -29,18 +29,13 @@ + #include "ksu.h" + + +-void plain_dump_principal (); +- +-krb5_boolean krb5_auth_check(context, client_pname, hostname, options, +- target_user, cc, path_passwd, target_uid) +- krb5_context context; +- krb5_principal client_pname; +- char *hostname; +- krb5_get_init_creds_opt *options; +- char *target_user; +- uid_t target_uid; +- krb5_ccache cc; +- int *path_passwd; ++void plain_dump_principal(krb5_context, krb5_principal); ++ ++krb5_boolean ++krb5_auth_check(krb5_context context, krb5_principal client_pname, ++ char *hostname, krb5_get_init_creds_opt *options, ++ char *target_user, krb5_ccache cc, int *path_passwd, ++ uid_t target_uid) + { + krb5_principal client; + krb5_verify_init_creds_opt vfy_opts; +@@ -137,13 +132,10 @@ krb5_boolean krb5_auth_check(context, client_pname, hostname, options, + return (TRUE); + } + +-krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password, +- creds_out) +- krb5_context context; +- krb5_principal client; +- krb5_get_init_creds_opt *options; +- krb5_boolean *zero_password; +- krb5_creds *creds_out; ++krb5_boolean ++ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client, ++ krb5_get_init_creds_opt *options, ++ krb5_boolean *zero_password, krb5_creds *creds_out) + { + krb5_error_code code; + krb5_creds creds; +@@ -212,11 +204,8 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password, + return (TRUE); + } + +- +-void dump_principal (context, str, p) +- krb5_context context; +- char *str; +- krb5_principal p; ++void ++dump_principal(krb5_context context, char *str, krb5_principal p) + { + char * stname; + krb5_error_code retval; +@@ -228,9 +217,8 @@ void dump_principal (context, str, p) + fprintf(stderr, " %s: %s\n", str, stname); + } + +-void plain_dump_principal (context, p) +- krb5_context context; +- krb5_principal p; ++void ++plain_dump_principal (krb5_context context, krb5_principal p) + { + char * stname; + krb5_error_code retval; +@@ -251,11 +239,8 @@ A principal is picked that has the best chance of getting in. + + **********************************************************************/ + +- +-krb5_error_code get_best_principal(context, plist, client) +- krb5_context context; +- char **plist; +- krb5_principal *client; ++krb5_error_code ++get_best_principal(krb5_context context, char **plist, krb5_principal *client) + { + krb5_error_code retval =0; + krb5_principal temp_client, best_client = NULL; +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index 931f054041..2a351662c8 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c +@@ -70,7 +70,9 @@ static krb5_error_code resolve_target_cache(krb5_context ksu_context, + /* insure the proper specification of target user as well as catching + ill specified arguments to commands */ + +-void usage (){ ++void ++usage(void) ++{ + fprintf(stderr, + _("Usage: %s [target user] [-n principal] [-c source cachename] " + "[-k] [-r time] [-p|-P] [-f|-F] [-l lifetime] [-zZ] [-q] " +@@ -86,9 +88,7 @@ void usage (){ + static uid_t source_uid, target_uid; + + int +-main (argc, argv) +- int argc; +- char ** argv; ++main(int argc, char ** argv) + { + int hp =0; + int some_rest_copy = 0; +@@ -120,7 +120,6 @@ main (argc, argv) + char ** params; + int keep_target_cache = 0; + int child_pid, child_pgrp, ret_pid; +- extern char * getpass(), *crypt(); + int pargc; + char ** pargv; + krb5_boolean stored = FALSE, cc_reused = FALSE, given_princ = FALSE; +@@ -1049,11 +1048,10 @@ cleanup: + + #ifdef HAVE_GETUSERSHELL + +-int standard_shell(sh) +- char *sh; ++int ++standard_shell(char *sh) + { + char *cp; +- char *getusershell(); + + while ((cp = getusershell()) != NULL) + if (!strcmp(cp, sh)) +@@ -1063,7 +1061,8 @@ int standard_shell(sh) + + #endif /* HAVE_GETUSERSHELL */ + +-static char * ontty() ++static char * ++ontty(void) + { + char *p; + static char buf[MAXPATHLEN + 5]; +@@ -1080,10 +1079,8 @@ static char * ontty() + return (buf); + } + +- +-static int set_env_var(name, value) +- char *name; +- char *value; ++static int ++set_env_var(char *name, char *value) + { + char * env_var_buf; + +@@ -1092,9 +1089,8 @@ static int set_env_var(name, value) + + } + +-static void sweep_up(context, cc) +- krb5_context context; +- krb5_ccache cc; ++static void ++sweep_up(krb5_context context, krb5_ccache cc) + { + krb5_error_code retval; + +@@ -1122,11 +1118,7 @@ get_params is to be called for the -a option or -e option to + *****************************************************************/ + + krb5_error_code +-get_params(optindex, pargc, pargv, params) +- int *optindex; +- int pargc; +- char **pargv; +- char ***params; ++get_params(int *optindex, int pargc, char **pargv, char ***params) + { + + int i,j; +@@ -1159,10 +1151,8 @@ void print_status(const char *fmt, ...) + } + + krb5_error_code +-ksu_tgtname(context, server, client, tgtprinc) +- krb5_context context; +- const krb5_data *server, *client; +- krb5_principal *tgtprinc; ++ksu_tgtname(krb5_context context, const krb5_data *server, ++ const krb5_data *client, krb5_principal *tgtprinc) + { + return krb5_build_principal_ext(context, tgtprinc, client->length, client->data, + KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, +diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c +index 03f72f596d..ac77a7d524 100644 +--- a/src/clients/kvno/kvno.c ++++ b/src/clients/kvno/kvno.c +@@ -39,7 +39,7 @@ static char *prog; + static int quiet = 0; + + static void +-xusage() ++xusage(void) + { + fprintf(stderr, _("usage: %s [-c ccache] [-e etype] [-k keytab] [-q] " + "[-u | -S sname]\n" +diff --git a/src/include/gssrpc/auth_gssapi.h b/src/include/gssrpc/auth_gssapi.h +index 9d94853228..63436a698a 100644 +--- a/src/include/gssrpc/auth_gssapi.h ++++ b/src/include/gssrpc/auth_gssapi.h +@@ -82,14 +82,12 @@ bool_t xdr_authgssapi_init_res(XDR *, auth_gssapi_init_res *); + + bool_t auth_gssapi_wrap_data + (OM_uint32 *major, OM_uint32 *minor, +- gss_ctx_id_t context, uint32_t seq_num, XDR +- *out_xdrs, bool_t (*xdr_func)(), caddr_t +- xdr_ptr); ++ gss_ctx_id_t context, uint32_t seq_num, ++ XDR *out_xdrs, xdrproc_t xdr_func, caddr_t xdr_ptr); + bool_t auth_gssapi_unwrap_data + (OM_uint32 *major, OM_uint32 *minor, +- gss_ctx_id_t context, uint32_t seq_num, XDR +- *in_xdrs, bool_t (*xdr_func)(), caddr_t +- xdr_ptr); ++ gss_ctx_id_t context, uint32_t seq_num, ++ XDR *in_xdrs, xdrproc_t xdr_func, caddr_t xdr_ptr); + + AUTH *auth_gssapi_create + (CLIENT *clnt, +diff --git a/src/include/gssrpc/xdr.h b/src/include/gssrpc/xdr.h +index da9e173782..4e5c29bdc2 100644 +--- a/src/include/gssrpc/xdr.h ++++ b/src/include/gssrpc/xdr.h +@@ -102,7 +102,6 @@ enum xdr_op { + * + * XXX can't actually prototype it, because some take three args!!! + */ +-typedef bool_t (*xdrproc_t)(); + + /* + * The XDR handle. +@@ -143,6 +142,8 @@ typedef struct XDR { + int x_handy; /* extra private word */ + } XDR; + ++typedef bool_t (*xdrproc_t)(XDR *, void *); ++ + /* + * Operations defined on a XDR handle + * +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 768110e5ef..b3e07945c1 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -2236,7 +2236,7 @@ make_data(void *data, unsigned int len) + } + + static inline krb5_data +-empty_data() ++empty_data(void) + { + return make_data(NULL, 0); + } +diff --git a/src/include/k5-plugin.h b/src/include/k5-plugin.h +index 90809e168e..5c5af586c5 100644 +--- a/src/include/k5-plugin.h ++++ b/src/include/k5-plugin.h +@@ -97,7 +97,7 @@ krb5int_get_plugin_data (struct plugin_file_handle *, const char *, void **, + + long KRB5_CALLCONV + krb5int_get_plugin_func (struct plugin_file_handle *, const char *, +- void (**)(), struct errinfo *); ++ void (**)(void), struct errinfo *); + + + long KRB5_CALLCONV +diff --git a/src/include/net-server.h b/src/include/net-server.h +index a30749d851..29b235eeb8 100644 +--- a/src/include/net-server.h ++++ b/src/include/net-server.h +@@ -30,6 +30,7 @@ + #define NET_SERVER_H + + #include ++#include + + /* The delimiter characters supported by the addresses string. */ + #define ADDRESSES_DELIM ",; " +@@ -64,13 +65,14 @@ krb5_error_code loop_add_udp_address(int default_port, const char *addresses); + krb5_error_code loop_add_tcp_address(int default_port, const char *addresses); + krb5_error_code loop_add_rpc_service(int default_port, const char *addresses, + u_long prognum, u_long versnum, +- void (*dispatchfn)()); ++ void (*dispatchfn)(struct svc_req *, ++ SVCXPRT *)); + + krb5_error_code loop_setup_network(verto_ctx *ctx, void *handle, + const char *progname, + int tcp_listen_backlog); + krb5_error_code loop_setup_signals(verto_ctx *ctx, void *handle, +- void (*reset)()); ++ void (*reset)(void *)); + void loop_free(verto_ctx *ctx); + + /* to be supplied by the server application */ +diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y +index d14cf963c5..3d69f0b8a4 100644 +--- a/src/kadmin/cli/getdate.y ++++ b/src/kadmin/cli/getdate.y +@@ -100,9 +100,6 @@ struct my_timeb { + #define bcopy(from, to, len) memcpy ((to), (from), (len)) + #endif + +-extern struct tm *gmtime(); +-extern struct tm *localtime(); +- + #define yyparse getdate_yyparse + #define yylex getdate_yylex + #define yyerror getdate_yyerror +diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c +index f3ea6fae17..23b64b0f58 100644 +--- a/src/kadmin/cli/kadmin.c ++++ b/src/kadmin/cli/kadmin.c +@@ -98,7 +98,7 @@ error(const char *fmt, ...) + } + + static void +-usage() ++usage(void) + { + error(_("Usage: %s [-r realm] [-p principal] [-q query] " + "[clnt|local args]\n" +@@ -1130,7 +1130,7 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc, + } + + static void +-kadmin_addprinc_usage() ++kadmin_addprinc_usage(void) + { + error(_("usage: add_principal [options] principal\n")); + error(_("\toptions are:\n")); +@@ -1154,7 +1154,7 @@ kadmin_addprinc_usage() + } + + static void +-kadmin_modprinc_usage() ++kadmin_modprinc_usage(void) + { + error(_("usage: modify_principal [options] principal\n")); + error(_("\toptions are:\n")); +diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c +index b0c8378b40..26f340af31 100644 +--- a/src/kadmin/cli/keytab.c ++++ b/src/kadmin/cli/keytab.c +@@ -50,14 +50,14 @@ static int quiet; + static int norandkey; + + static void +-add_usage() ++add_usage(void) + { + fprintf(stderr, _("Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] " + "[-norandkey] [principal | -glob princ-exp] [...]\n")); + } + + static void +-rem_usage() ++rem_usage(void) + { + fprintf(stderr, _("Usage: ktremove [-k[eytab] keytab] [-q] principal " + "[kvno|\"all\"|\"old\"]\n")); +diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c +index 038a0b2190..9178fca6da 100644 +--- a/src/kadmin/dbutil/kdb5_create.c ++++ b/src/kadmin/dbutil/kdb5_create.c +@@ -139,9 +139,8 @@ extern int exit_status; + extern kadm5_config_params global_params; + extern krb5_context util_context; + +-void kdb5_create(argc, argv) +- int argc; +- char *argv[]; ++void ++kdb5_create(int argc, char *argv[]) + { + int optchar; + +@@ -337,9 +336,7 @@ void kdb5_create(argc, argv) + } + + static krb5_error_code +-tgt_keysalt_iterate(ksent, ptr) +- krb5_key_salt_tuple *ksent; +- krb5_pointer ptr; ++tgt_keysalt_iterate(krb5_key_salt_tuple *ksent, krb5_pointer ptr) + { + krb5_context context; + krb5_error_code kret; +@@ -378,11 +375,8 @@ tgt_keysalt_iterate(ksent, ptr) + } + + static krb5_error_code +-add_principal(context, princ, op, pblock) +- krb5_context context; +- krb5_principal princ; +- enum ap_op op; +- struct realm_info *pblock; ++add_principal(krb5_context context, krb5_principal princ, enum ap_op op, ++ struct realm_info *pblock) + { + krb5_error_code retval; + krb5_db_entry *entry = NULL; +diff --git a/src/kadmin/dbutil/kdb5_destroy.c b/src/kadmin/dbutil/kdb5_destroy.c +index fffce74296..556cf0b6bb 100644 +--- a/src/kadmin/dbutil/kdb5_destroy.c ++++ b/src/kadmin/dbutil/kdb5_destroy.c +@@ -39,9 +39,7 @@ char *yes = "yes\n"; /* \n to compare against result of + fgets */ + + void +-kdb5_destroy(argc, argv) +- int argc; +- char *argv[]; ++kdb5_destroy(int argc, char *argv[]) + { + extern int optind; + int optchar; +diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c +index e05944f290..eaba6cd353 100644 +--- a/src/kadmin/dbutil/kdb5_stash.c ++++ b/src/kadmin/dbutil/kdb5_stash.c +@@ -63,9 +63,7 @@ extern int exit_status; + extern int close_policy_db; + + void +-kdb5_stash(argc, argv) +- int argc; +- char *argv[]; ++kdb5_stash(int argc, char *argv[]) + { + extern char *optarg; + extern int optind; +diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c +index 19a59250ee..55d529fa4c 100644 +--- a/src/kadmin/dbutil/kdb5_util.c ++++ b/src/kadmin/dbutil/kdb5_util.c +@@ -143,8 +143,8 @@ struct _cmd_table { + {NULL, NULL, 0}, + }; + +-static struct _cmd_table *cmd_lookup(name) +- char *name; ++static struct _cmd_table * ++cmd_lookup(char *name) + { + struct _cmd_table *cmd = cmd_table; + while (cmd->name) { +@@ -162,8 +162,9 @@ static struct _cmd_table *cmd_lookup(name) + char **db5util_db_args = NULL; + int db5util_db_args_size = 0; + +-static void extended_com_err_fn (const char *myprog, errcode_t code, +- const char *fmt, va_list args) ++static void ++extended_com_err_fn(const char *myprog, errcode_t code, const char *fmt, ++ va_list args) + { + const char *emsg; + if (code) { +@@ -177,7 +178,8 @@ static void extended_com_err_fn (const char *myprog, errcode_t code, + fprintf (stderr, "\n"); + } + +-int add_db_arg(char *arg) ++int ++add_db_arg(char *arg) + { + char **temp; + db5util_db_args_size++; +@@ -191,9 +193,8 @@ int add_db_arg(char *arg) + return 1; + } + +-int main(argc, argv) +- int argc; +- char *argv[]; ++int ++main(int argc, char *argv[]) + { + struct _cmd_table *cmd = NULL; + char *koptarg, **cmd_argv; +@@ -365,7 +366,8 @@ int main(argc, argv) + * cannot be fetched (the master key stash file may not exist when the + * program is run). + */ +-static int open_db_and_mkey() ++static int ++open_db_and_mkey() + { + krb5_error_code retval; + krb5_data scratch, pwd, seed; +@@ -508,9 +510,7 @@ quit() + } + + static void +-add_random_key(argc, argv) +- int argc; +- char **argv; ++add_random_key(int argc, char **argv) + { + krb5_error_code ret; + krb5_principal princ; +diff --git a/src/kadmin/dbutil/ovload.c b/src/kadmin/dbutil/ovload.c +index 15a5ab3005..b2e6c00eac 100644 +--- a/src/kadmin/dbutil/ovload.c ++++ b/src/kadmin/dbutil/ovload.c +@@ -11,9 +11,8 @@ + + #define LINESIZE 32768 /* XXX */ + +-static int parse_pw_hist_ent(current, hist) +- char *current; +- osa_pw_hist_ent *hist; ++static int ++parse_pw_hist_ent(char *current, osa_pw_hist_ent *hist) + { + int tmp, i, j, ret; + char *cp; +@@ -90,12 +89,9 @@ done: + * [modifies] + * + */ +-int process_ov_principal(kcontext, fname, filep, verbose, linenop) +- krb5_context kcontext; +- const char *fname; +- FILE *filep; +- krb5_boolean verbose; +- int *linenop; ++int ++process_ov_principal(krb5_context kcontext, const char *fname, FILE *filep, ++ krb5_boolean verbose, int *linenop) + { + XDR xdrs; + osa_princ_ent_t rec; +diff --git a/src/kadmin/dbutil/strtok.c b/src/kadmin/dbutil/strtok.c +index dee466aea1..93f3e85a51 100644 +--- a/src/kadmin/dbutil/strtok.c ++++ b/src/kadmin/dbutil/strtok.c +@@ -50,9 +50,7 @@ + */ + + char * +-nstrtok(s, delim) +- char *s; +- const char *delim; ++nstrtok(char *s, const char *delim) + { + const char *spanp; + int c, sc; +diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c +index 92d7023a4f..87a69ca145 100644 +--- a/src/kadmin/ktutil/ktutil.c ++++ b/src/kadmin/ktutil/ktutil.c +@@ -39,9 +39,8 @@ extern ss_request_table ktutil_cmds; + krb5_context kcontext; + krb5_kt_list ktlist = NULL; + +-int main(argc, argv) +- int argc; +- char *argv[]; ++int ++main(int argc, char *argv[]) + { + krb5_error_code retval; + int sci_idx; +@@ -63,9 +62,8 @@ int main(argc, argv) + exit(0); + } + +-void ktutil_clear_list(argc, argv) +- int argc; +- char *argv[]; ++void ++ktutil_clear_list(int argc, char *argv[]) + { + krb5_error_code retval; + +@@ -79,9 +77,8 @@ void ktutil_clear_list(argc, argv) + ktlist = NULL; + } + +-void ktutil_read_v5(argc, argv) +- int argc; +- char *argv[]; ++void ++ktutil_read_v5(int argc, char *argv[]) + { + krb5_error_code retval; + +@@ -94,17 +91,15 @@ void ktutil_read_v5(argc, argv) + com_err(argv[0], retval, _("while reading keytab \"%s\""), argv[1]); + } + +-void ktutil_read_v4(argc, argv) +- int argc; +- char *argv[]; ++void ++ktutil_read_v4(int argc, char *argv[]) + { + fprintf(stderr, _("%s: reading srvtabs is no longer supported\n"), + argv[0]); + } + +-void ktutil_write_v5(argc, argv) +- int argc; +- char *argv[]; ++void ++ktutil_write_v5(int argc, char *argv[]) + { + krb5_error_code retval; + +@@ -117,17 +112,15 @@ void ktutil_write_v5(argc, argv) + com_err(argv[0], retval, _("while writing keytab \"%s\""), argv[1]); + } + +-void ktutil_write_v4(argc, argv) +- int argc; +- char *argv[]; ++void ++ktutil_write_v4(int argc, char *argv[]) + { + fprintf(stderr, _("%s: writing srvtabs is no longer supported\n"), + argv[0]); + } + +-void ktutil_add_entry(argc, argv) +- int argc; +- char *argv[]; ++void ++ktutil_add_entry(int argc, char *argv[]) + { + krb5_error_code retval; + char *princ = NULL; +@@ -183,9 +176,8 @@ void ktutil_add_entry(argc, argv) + com_err(argv[0], retval, _("while adding new entry")); + } + +-void ktutil_delete_entry(argc, argv) +- int argc; +- char *argv[]; ++void ++ktutil_delete_entry(int argc, char *argv[]) + { + krb5_error_code retval; + +@@ -198,9 +190,8 @@ void ktutil_delete_entry(argc, argv) + com_err(argv[0], retval, _("while deleting entry %d"), atoi(argv[1])); + } + +-void ktutil_list(argc, argv) +- int argc; +- char *argv[]; ++void ++ktutil_list(int argc, char *argv[]) + { + krb5_error_code retval; + krb5_kt_list lp; +diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c +index 56bed1bbcc..e489b5b57a 100644 +--- a/src/kadmin/ktutil/ktutil_funcs.c ++++ b/src/kadmin/ktutil/ktutil_funcs.c +@@ -37,9 +37,8 @@ + /* + * Free a kt_list + */ +-krb5_error_code ktutil_free_kt_list(context, list) +- krb5_context context; +- krb5_kt_list list; ++krb5_error_code ++ktutil_free_kt_list(krb5_context context, krb5_kt_list list) + { + krb5_kt_list lp, prev; + krb5_error_code retval = 0; +@@ -60,10 +59,8 @@ krb5_error_code ktutil_free_kt_list(context, list) + * Delete a numbered entry in a kt_list. Takes a pointer to a kt_list + * in case head gets deleted. + */ +-krb5_error_code ktutil_delete(context, list, idx) +- krb5_context context; +- krb5_kt_list *list; +- int idx; ++krb5_error_code ++ktutil_delete(krb5_context context, krb5_kt_list *list, int idx) + { + krb5_kt_list lp, prev; + int i; +@@ -138,16 +135,10 @@ get_etype_info(krb5_context context, krb5_principal princ, int fetch, + * password or key. If the keytab list is NULL, allocate a new + * one first. + */ +-krb5_error_code ktutil_add(context, list, princ_str, fetch, kvno, +- enctype_str, use_pass, salt_str) +- krb5_context context; +- krb5_kt_list *list; +- char *princ_str; +- int fetch; +- krb5_kvno kvno; +- char *enctype_str; +- int use_pass; +- char *salt_str; ++krb5_error_code ++ktutil_add(krb5_context context, krb5_kt_list *list, char *princ_str, ++ int fetch, krb5_kvno kvno, char *enctype_str, int use_pass, ++ char *salt_str) + { + krb5_keytab_entry *entry = NULL; + krb5_kt_list lp, *last; +@@ -269,10 +260,8 @@ cleanup: + * Read in a keytab and append it to list. If list starts as NULL, + * allocate a new one if necessary. + */ +-krb5_error_code ktutil_read_keytab(context, name, list) +- krb5_context context; +- char *name; +- krb5_kt_list *list; ++krb5_error_code ++ktutil_read_keytab(krb5_context context, char *name, krb5_kt_list *list) + { + krb5_kt_list lp = NULL, tail = NULL, back = NULL; + krb5_keytab kt; +@@ -344,10 +333,8 @@ close_kt: + /* + * Takes a kt_list and writes it to the named keytab. + */ +-krb5_error_code ktutil_write_keytab(context, list, name) +- krb5_context context; +- krb5_kt_list list; +- char *name; ++krb5_error_code ++ktutil_write_keytab(krb5_context context, krb5_kt_list list, char *name) + { + krb5_kt_list lp; + krb5_keytab kt; +diff --git a/src/kadmin/server/ipropd_svc.c b/src/kadmin/server/ipropd_svc.c +index 56e9b90b20..e5dd233e81 100644 +--- a/src/kadmin/server/ipropd_svc.c ++++ b/src/kadmin/server/ipropd_svc.c +@@ -535,8 +535,8 @@ krb5_iprop_prog_1(struct svc_req *rqstp, + kdb_last_t iprop_get_updates_1_arg; + } argument; + void *result; +- bool_t (*_xdr_argument)(), (*_xdr_result)(); +- void *(*local)(/* union XXX *, struct svc_req * */); ++ xdrproc_t _xdr_argument, _xdr_result; ++ void *(*local)(char *, struct svc_req *); + char *whoami = "krb5_iprop_prog_1"; + + if (!check_iprop_rpcsec_auth(rqstp)) { +@@ -555,21 +555,21 @@ krb5_iprop_prog_1(struct svc_req *rqstp, + return; + + case IPROP_GET_UPDATES: +- _xdr_argument = xdr_kdb_last_t; +- _xdr_result = xdr_kdb_incr_result_t; +- local = (void *(*)()) iprop_get_updates_1_svc; ++ _xdr_argument = (xdrproc_t)xdr_kdb_last_t; ++ _xdr_result = (xdrproc_t)xdr_kdb_incr_result_t; ++ local = (void *(*)(char *, struct svc_req *))iprop_get_updates_1_svc; + break; + + case IPROP_FULL_RESYNC: +- _xdr_argument = xdr_void; +- _xdr_result = xdr_kdb_fullresync_result_t; +- local = (void *(*)()) iprop_full_resync_1_svc; ++ _xdr_argument = (xdrproc_t)xdr_void; ++ _xdr_result = (xdrproc_t)xdr_kdb_fullresync_result_t; ++ local = (void *(*)(char *, struct svc_req *))iprop_full_resync_1_svc; + break; + + case IPROP_FULL_RESYNC_EXT: +- _xdr_argument = xdr_u_int32; +- _xdr_result = xdr_kdb_fullresync_result_t; +- local = (void *(*)()) iprop_full_resync_ext_1_svc; ++ _xdr_argument = (xdrproc_t)xdr_u_int32; ++ _xdr_result = (xdrproc_t)xdr_kdb_fullresync_result_t; ++ local = (void *(*)(char *, struct svc_req *))iprop_full_resync_ext_1_svc; + break; + + default: +@@ -587,7 +587,7 @@ krb5_iprop_prog_1(struct svc_req *rqstp, + svcerr_decode(transp); + return; + } +- result = (*local)(&argument, rqstp); ++ result = (*local)((char *)&argument, rqstp); + + if (_xdr_result && result != NULL && + !svc_sendreply(transp, _xdr_result, result)) { +diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c +index 8371fa76ca..f0e43d9aea 100644 +--- a/src/kadmin/server/kadm_rpc_svc.c ++++ b/src/kadmin/server/kadm_rpc_svc.c +@@ -9,6 +9,7 @@ + #include /* for gss_nt_krb5_name */ + #include + #include ++#include + #include + #include + #include +@@ -36,9 +37,8 @@ static int check_rpcsec_auth(struct svc_req *); + * Modifies: + */ + +-void kadm_1(rqstp, transp) +- struct svc_req *rqstp; +- SVCXPRT *transp; ++void ++kadm_1(struct svc_req *rqstp, SVCXPRT *transp) + { + union { + cprinc_arg create_principal_2_arg; +@@ -73,8 +73,8 @@ void kadm_1(rqstp, transp) + getpkeys_ret get_principal_keys_ret; + } result; + bool_t retval; +- bool_t (*xdr_argument)(), (*xdr_result)(); +- bool_t (*local)(); ++ xdrproc_t xdr_argument, xdr_result; ++ bool_t (*local)(char *, void *, struct svc_req *); + + if (rqstp->rq_cred.oa_flavor != AUTH_GSSAPI && + !check_rpcsec_auth(rqstp)) { +@@ -92,153 +92,153 @@ void kadm_1(rqstp, transp) + return; + + case CREATE_PRINCIPAL: +- xdr_argument = xdr_cprinc_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) create_principal_2_svc; ++ xdr_argument = (xdrproc_t)xdr_cprinc_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))create_principal_2_svc; + break; + + case DELETE_PRINCIPAL: +- xdr_argument = xdr_dprinc_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) delete_principal_2_svc; ++ xdr_argument = (xdrproc_t)xdr_dprinc_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))delete_principal_2_svc; + break; + + case MODIFY_PRINCIPAL: +- xdr_argument = xdr_mprinc_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) modify_principal_2_svc; ++ xdr_argument = (xdrproc_t)xdr_mprinc_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))modify_principal_2_svc; + break; + + case RENAME_PRINCIPAL: +- xdr_argument = xdr_rprinc_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) rename_principal_2_svc; ++ xdr_argument = (xdrproc_t)xdr_rprinc_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))rename_principal_2_svc; + break; + + case GET_PRINCIPAL: +- xdr_argument = xdr_gprinc_arg; +- xdr_result = xdr_gprinc_ret; +- local = (bool_t (*)()) get_principal_2_svc; ++ xdr_argument = (xdrproc_t)xdr_gprinc_arg; ++ xdr_result = (xdrproc_t)xdr_gprinc_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))get_principal_2_svc; + break; + + case GET_PRINCS: +- xdr_argument = xdr_gprincs_arg; +- xdr_result = xdr_gprincs_ret; +- local = (bool_t (*)()) get_princs_2_svc; ++ xdr_argument = (xdrproc_t)xdr_gprincs_arg; ++ xdr_result = (xdrproc_t)xdr_gprincs_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))get_princs_2_svc; + break; + + case CHPASS_PRINCIPAL: +- xdr_argument = xdr_chpass_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) chpass_principal_2_svc; ++ xdr_argument = (xdrproc_t)xdr_chpass_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))chpass_principal_2_svc; + break; + + case SETKEY_PRINCIPAL: +- xdr_argument = xdr_setkey_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) setkey_principal_2_svc; ++ xdr_argument = (xdrproc_t)xdr_setkey_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))setkey_principal_2_svc; + break; + + case CHRAND_PRINCIPAL: +- xdr_argument = xdr_chrand_arg; +- xdr_result = xdr_chrand_ret; +- local = (bool_t (*)()) chrand_principal_2_svc; ++ xdr_argument = (xdrproc_t)xdr_chrand_arg; ++ xdr_result = (xdrproc_t)xdr_chrand_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))chrand_principal_2_svc; + break; + + case CREATE_POLICY: +- xdr_argument = xdr_cpol_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) create_policy_2_svc; ++ xdr_argument = (xdrproc_t)xdr_cpol_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))create_policy_2_svc; + break; + + case DELETE_POLICY: +- xdr_argument = xdr_dpol_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) delete_policy_2_svc; ++ xdr_argument = (xdrproc_t)xdr_dpol_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))delete_policy_2_svc; + break; + + case MODIFY_POLICY: +- xdr_argument = xdr_mpol_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) modify_policy_2_svc; ++ xdr_argument = (xdrproc_t)xdr_mpol_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))modify_policy_2_svc; + break; + + case GET_POLICY: +- xdr_argument = xdr_gpol_arg; +- xdr_result = xdr_gpol_ret; +- local = (bool_t (*)()) get_policy_2_svc; ++ xdr_argument = (xdrproc_t)xdr_gpol_arg; ++ xdr_result = (xdrproc_t)xdr_gpol_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))get_policy_2_svc; + break; + + case GET_POLS: +- xdr_argument = xdr_gpols_arg; +- xdr_result = xdr_gpols_ret; +- local = (bool_t (*)()) get_pols_2_svc; ++ xdr_argument = (xdrproc_t)xdr_gpols_arg; ++ xdr_result = (xdrproc_t)xdr_gpols_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))get_pols_2_svc; + break; + + case GET_PRIVS: +- xdr_argument = xdr_u_int32; +- xdr_result = xdr_getprivs_ret; +- local = (bool_t (*)()) get_privs_2_svc; ++ xdr_argument = (xdrproc_t)xdr_u_int32; ++ xdr_result = (xdrproc_t)xdr_getprivs_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))get_privs_2_svc; + break; + + case INIT: +- xdr_argument = xdr_u_int32; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) init_2_svc; ++ xdr_argument = (xdrproc_t)xdr_u_int32; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))init_2_svc; + break; + + case CREATE_PRINCIPAL3: +- xdr_argument = xdr_cprinc3_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) create_principal3_2_svc; ++ xdr_argument = (xdrproc_t)xdr_cprinc3_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))create_principal3_2_svc; + break; + + case CHPASS_PRINCIPAL3: +- xdr_argument = xdr_chpass3_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) chpass_principal3_2_svc; ++ xdr_argument = (xdrproc_t)xdr_chpass3_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))chpass_principal3_2_svc; + break; + + case CHRAND_PRINCIPAL3: +- xdr_argument = xdr_chrand3_arg; +- xdr_result = xdr_chrand_ret; +- local = (bool_t (*)()) chrand_principal3_2_svc; ++ xdr_argument = (xdrproc_t)xdr_chrand3_arg; ++ xdr_result = (xdrproc_t)xdr_chrand_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))chrand_principal3_2_svc; + break; + + case SETKEY_PRINCIPAL3: +- xdr_argument = xdr_setkey3_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) setkey_principal3_2_svc; ++ xdr_argument = (xdrproc_t)xdr_setkey3_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))setkey_principal3_2_svc; + break; + + case PURGEKEYS: +- xdr_argument = xdr_purgekeys_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) purgekeys_2_svc; ++ xdr_argument = (xdrproc_t)xdr_purgekeys_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))purgekeys_2_svc; + break; + + case GET_STRINGS: +- xdr_argument = xdr_gstrings_arg; +- xdr_result = xdr_gstrings_ret; +- local = (bool_t (*)()) get_strings_2_svc; ++ xdr_argument = (xdrproc_t)xdr_gstrings_arg; ++ xdr_result = (xdrproc_t)xdr_gstrings_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))get_strings_2_svc; + break; + + case SET_STRING: +- xdr_argument = xdr_sstring_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) set_string_2_svc; ++ xdr_argument = (xdrproc_t)xdr_sstring_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))set_string_2_svc; + break; + + case SETKEY_PRINCIPAL4: +- xdr_argument = xdr_setkey4_arg; +- xdr_result = xdr_generic_ret; +- local = (bool_t (*)()) setkey_principal4_2_svc; ++ xdr_argument = (xdrproc_t)xdr_setkey4_arg; ++ xdr_result = (xdrproc_t)xdr_generic_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))setkey_principal4_2_svc; + break; + + case EXTRACT_KEYS: +- xdr_argument = xdr_getpkeys_arg; +- xdr_result = xdr_getpkeys_ret; +- local = (bool_t (*)()) get_principal_keys_2_svc; ++ xdr_argument = (xdrproc_t)xdr_getpkeys_arg; ++ xdr_result = (xdrproc_t)xdr_getpkeys_ret; ++ local = (bool_t (*)(char *, void *, struct svc_req *))get_principal_keys_2_svc; + break; + + default: +@@ -253,7 +253,7 @@ void kadm_1(rqstp, transp) + return; + } + memset(&result, 0, sizeof(result)); +- retval = (*local)(&argument, &result, rqstp); ++ retval = (*local)((char *)&argument, &result, rqstp); + if (retval && !svc_sendreply(transp, xdr_result, (void *)&result)) { + krb5_klog_syslog(LOG_ERR, "WARNING! Unable to send function results, " + "continuing."); +diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c +index b29a0f5b63..a9508af120 100644 +--- a/src/kadmin/server/ovsec_kadmd.c ++++ b/src/kadmin/server/ovsec_kadmd.c +@@ -77,7 +77,7 @@ static krb5_context context; + static char *progname; + + static void +-usage() ++usage(void) + { + fprintf(stderr, _("Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] " + "[-port port-number]\n" +@@ -173,7 +173,7 @@ setup_loop(kadm5_config_params *params, int proponly, verto_ctx **ctx_out) + + /* Point GSSAPI at the KDB keytab so we don't need an actual file keytab. */ + static krb5_error_code +-setup_kdb_keytab() ++setup_kdb_keytab(void) + { + krb5_error_code ret; + +diff --git a/src/kdc/t_ndr.c b/src/kdc/t_ndr.c +index a3ac661bd0..c2a2414313 100644 +--- a/src/kdc/t_ndr.c ++++ b/src/kdc/t_ndr.c +@@ -173,7 +173,7 @@ test_dec_enc(uint8_t *blob, size_t len, char *name, int fail) + #define RUN_TEST_FAIL(blob) test_dec_enc(blob, sizeof(blob), #blob, 1) + + int +-main() ++main(void) + { + printf("Running NDR tests...\n"); + +diff --git a/src/kdc/t_replay.c b/src/kdc/t_replay.c +index 57aad886cd..c9c9d65946 100644 +--- a/src/kdc/t_replay.c ++++ b/src/kdc/t_replay.c +@@ -570,7 +570,8 @@ test_kdc_insert_lookaside_cache_expire(void **state) + assert_int_equal(total_size, e2_size); + } + +-int main() ++int ++main(void) + { + int ret; + +@@ -611,7 +612,8 @@ int main() + + #else /* NOCACHE */ + +-int main() ++int ++main(void) + { + return 0; + } +diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c +index cb9785aaeb..f883ae2df8 100644 +--- a/src/kprop/kpropd.c ++++ b/src/kprop/kpropd.c +@@ -165,7 +165,7 @@ static kadm5_ret_t kadm5_get_kiprop_host_srv_name(krb5_context context, + char **host_service_name); + + static void +-usage() ++usage(void) + { + fprintf(stderr, + _("\nUsage: %s [-r realm] [-s keytab] [-d] [-D] [-S]\n" +diff --git a/src/kprop/kproplog.c b/src/kprop/kproplog.c +index 06af2a1d60..1f10aa6dc7 100644 +--- a/src/kprop/kproplog.c ++++ b/src/kprop/kproplog.c +@@ -24,7 +24,7 @@ + static char *progname; + + static void +-usage() ++usage(void) + { + fprintf(stderr, _("\nUsage: %s [-h] [-v] [-v] [-e num]\n\t%s -R\n\n"), + progname, progname); +@@ -393,7 +393,7 @@ print_update(kdb_hlog_t *ulog, uint32_t entry, uint32_t ulogentries, + print_attr(&upd.kdb_update.kdbe_t_val[j], verbose > 1 ? 1 : 0); + } + +- xdr_free(xdr_kdb_incr_update_t, (char *)&upd); ++ xdr_free((xdrproc_t)xdr_kdb_incr_update_t, (char *)&upd); + free(dbprinc); + } + } +diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c +index 1bdc7932b6..75372d8940 100644 +--- a/src/lib/apputils/net-server.c ++++ b/src/lib/apputils/net-server.c +@@ -203,7 +203,7 @@ struct connection { + struct rpc_svc_data { + u_long prognum; + u_long versnum; +- void (*dispatch)(); ++ void (*dispatch)(struct svc_req *, SVCXPRT *); + }; + + struct bind_address { +@@ -255,7 +255,7 @@ free_sighup_context(verto_ctx *ctx, verto_ev *ev) + } + + krb5_error_code +-loop_setup_signals(verto_ctx *ctx, void *handle, void (*reset)()) ++loop_setup_signals(verto_ctx *ctx, void *handle, void (*reset)(void *)) + { + struct sighup_context *sc; + verto_ev *ev; +@@ -434,7 +434,8 @@ loop_add_tcp_address(int default_port, const char *addresses) + + krb5_error_code + loop_add_rpc_service(int default_port, const char *addresses, u_long prognum, +- u_long versnum, void (*dispatchfn)()) ++ u_long versnum, ++ void (*dispatchfn)(struct svc_req *, SVCXPRT *)) + { + struct rpc_svc_data svc; + +diff --git a/src/lib/crypto/builtin/aes/aes-gen.c b/src/lib/crypto/builtin/aes/aes-gen.c +index b528d3796d..4d7a16ee9a 100644 +--- a/src/lib/crypto/builtin/aes/aes-gen.c ++++ b/src/lib/crypto/builtin/aes/aes-gen.c +@@ -54,7 +54,8 @@ uint8_t test_case[NTESTS][4 * B] = { + aes_encrypt_ctx ctx; + aes_decrypt_ctx dctx; + +-static void init () ++static void ++init (void) + { + AES_RETURN r; + +@@ -71,7 +72,8 @@ static void hexdump(const unsigned char *ptr, size_t len) + printf ("%s%02X", (i % 16 == 0) ? "\n " : " ", ptr[i]); + } + +-static void fips_test () ++static void ++fips_test (void) + { + static const unsigned char fipskey[16] = { + 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, +@@ -254,7 +256,8 @@ cts_dec (unsigned char *out, unsigned char *in, unsigned char *iv, + memcpy(out+B, pn, len-B); + } + +-static void ecb_test () ++static void ++ecb_test (void) + { + unsigned int testno; + uint8_t output[4 * B], tmp[4 * B]; +@@ -285,7 +288,8 @@ static void ecb_test () + + unsigned char ivec[16] = { 0 }; + +-static void cbc_test () ++static void ++cbc_test (void) + { + unsigned int testno; + uint8_t output[4 * B], tmp[4 * B]; +@@ -314,7 +318,8 @@ static void cbc_test () + printf ("\n"); + } + +-static void cts_test () ++static void ++cts_test (void) + { + unsigned int testno; + uint8_t output[4 * B], tmp[4 * B]; +@@ -339,7 +344,8 @@ static void cts_test () + printf ("\n"); + } + +-int main () ++int ++main (void) + { + init (); + fips_test (); +diff --git a/src/lib/crypto/builtin/camellia/camellia-gen.c b/src/lib/crypto/builtin/camellia/camellia-gen.c +index 23b69c1741..6eca0e0525 100644 +--- a/src/lib/crypto/builtin/camellia/camellia-gen.c ++++ b/src/lib/crypto/builtin/camellia/camellia-gen.c +@@ -19,7 +19,8 @@ struct { + } test_case[NTESTS]; + camellia_ctx ctx, dctx; + +-static void init () ++static void ++init (void) + { + size_t i, j; + cam_rval r; +@@ -46,7 +47,8 @@ static void hexdump(const unsigned char *ptr, size_t len) + printf ("%s%02X", (i % 16 == 0) ? "\n " : " ", ptr[i]); + } + +-static void fips_test () ++static void ++fips_test (void) + { + static const unsigned char fipskey[16] = { + 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, +@@ -234,7 +236,8 @@ cts_dec (unsigned char *out, unsigned char *in, unsigned char *iv, + memcpy(out+B, pn, len-B); + } + +-static void ecb_test () ++static void ++ecb_test (void) + { + size_t testno; + unsigned char tmp[4*B]; +@@ -265,7 +268,8 @@ static void ecb_test () + + unsigned char ivec[16] = { 0 }; + +-static void cbc_test () ++static void ++cbc_test (void) + { + size_t testno; + unsigned char tmp[4*B]; +@@ -294,7 +298,8 @@ static void cbc_test () + printf ("\n"); + } + +-static void cts_test () ++static void ++cts_test (void) + { + size_t testno; + unsigned char tmp[4*B]; +@@ -319,7 +324,8 @@ static void cts_test () + printf ("\n"); + } + +-int main () ++int ++main (void) + { + init (); + fips_test (); +diff --git a/src/lib/crypto/builtin/sha1/t_shs.c b/src/lib/crypto/builtin/sha1/t_shs.c +index c1d18f5571..a668cb0c06 100644 +--- a/src/lib/crypto/builtin/sha1/t_shs.c ++++ b/src/lib/crypto/builtin/sha1/t_shs.c +@@ -29,9 +29,8 @@ static SHS_LONG shsTestResults[][ 5 ] = { + }; + #endif /* NEW_SHS */ + +-static int compareSHSresults(shsInfo, shsTestLevel) +- SHS_INFO *shsInfo; +- int shsTestLevel; ++static int ++compareSHSresults(SHS_INFO *shsInfo, int shsTestLevel) + { + int i, fail = 0; + +@@ -55,7 +54,7 @@ static int compareSHSresults(shsInfo, shsTestLevel) + } + + int +-main() ++main(int argc, char *argv[]) + { + SHS_INFO shsInfo; + unsigned int i; +diff --git a/src/lib/crypto/builtin/sha1/t_shs3.c b/src/lib/crypto/builtin/sha1/t_shs3.c +index 7aa0bbdee3..87caf7fa37 100644 +--- a/src/lib/crypto/builtin/sha1/t_shs3.c ++++ b/src/lib/crypto/builtin/sha1/t_shs3.c +@@ -55,9 +55,7 @@ int mode; + int Dflag; + + int +-main(argc,argv) +- int argc; +- char **argv; ++main(int argc, char **argv) + { + char *argp; + +@@ -131,8 +129,7 @@ static void process(void) + + #ifndef shsDigest + static unsigned char * +-shsDigest(si) +- SHS_INFO *si; ++shsDigest(SHS_INFO *si) + { + longReverse(si->digest, SHS_DIGESTSIZE); + return (unsigned char*) si->digest; +diff --git a/src/lib/crypto/crypto_tests/aes-test.c b/src/lib/crypto/crypto_tests/aes-test.c +index a7382a48ad..d26f711b8d 100644 +--- a/src/lib/crypto/crypto_tests/aes-test.c ++++ b/src/lib/crypto/crypto_tests/aes-test.c +@@ -37,14 +37,14 @@ static char plain[16], cipher[16], zero[16]; + + static krb5_keyblock enc_key; + static krb5_data ivec; +-static void init() ++static void init(void) + { + enc_key.contents = (krb5_octet *)key; + enc_key.length = 16; + ivec.data = zero; + ivec.length = 16; + } +-static void enc() ++static void enc(void) + { + krb5_key k; + krb5_crypto_iov iov; +@@ -93,7 +93,7 @@ static void vk_test_1(int len, krb5_enctype etype) + } + printf("\n==========\n"); + } +-static void vk_test() ++static void vk_test(void) + { + vk_test_1(16, ENCTYPE_AES128_CTS_HMAC_SHA1_96); + vk_test_1(32, ENCTYPE_AES256_CTS_HMAC_SHA1_96); +@@ -119,7 +119,7 @@ static void vt_test_1(int len, krb5_enctype etype) + } + printf("\n==========\n"); + } +-static void vt_test() ++static void vt_test(void) + { + vt_test_1(16, ENCTYPE_AES128_CTS_HMAC_SHA1_96); + vt_test_1(32, ENCTYPE_AES256_CTS_HMAC_SHA1_96); +diff --git a/src/lib/crypto/crypto_tests/camellia-test.c b/src/lib/crypto/crypto_tests/camellia-test.c +index 23d14667e1..ca6579f7d1 100644 +--- a/src/lib/crypto/crypto_tests/camellia-test.c ++++ b/src/lib/crypto/crypto_tests/camellia-test.c +@@ -35,14 +35,14 @@ static char plain[16], cipher[16], zero[16]; + + static krb5_keyblock enc_key; + static krb5_data ivec; +-static void init() ++static void init(void) + { + enc_key.contents = (unsigned char *)key; + enc_key.length = 16; + ivec.data = zero; + ivec.length = 16; + } +-static void enc() ++static void enc(void) + { + krb5_key k; + krb5_crypto_iov iov; +@@ -91,7 +91,7 @@ static void vk_test_1(int len) + } + printf("\n==========\n"); + } +-static void vk_test() ++static void vk_test(void) + { + vk_test_1(16); + vk_test_1(32); +@@ -117,7 +117,7 @@ static void vt_test_1(int len, krb5_enctype etype) + } + printf("\n==========\n"); + } +-static void vt_test() ++static void vt_test(void) + { + vt_test_1(16, ENCTYPE_CAMELLIA128_CTS_CMAC); + vt_test_1(32, ENCTYPE_CAMELLIA256_CTS_CMAC); +diff --git a/src/lib/crypto/crypto_tests/t_cf2.c b/src/lib/crypto/crypto_tests/t_cf2.c +index 67c9dcdee2..4c894ad09c 100644 +--- a/src/lib/crypto/crypto_tests/t_cf2.c ++++ b/src/lib/crypto/crypto_tests/t_cf2.c +@@ -46,7 +46,9 @@ + #include + #include + +-int main () { ++int ++main(void) ++{ + krb5_error_code ret; + char pepper1[1025], pepper2[1025]; + krb5_keyblock *k1 = NULL, *k2 = NULL, *out = NULL; +diff --git a/src/lib/crypto/crypto_tests/t_cts.c b/src/lib/crypto/crypto_tests/t_cts.c +index fe505169f3..f8a5a534b2 100644 +--- a/src/lib/crypto/crypto_tests/t_cts.c ++++ b/src/lib/crypto/crypto_tests/t_cts.c +@@ -77,7 +77,7 @@ static void printk(const char *descr, krb5_keyblock *k) { + printd(descr, &d); + } + +-static void test_cts() ++static void test_cts(void) + { + static const char input[4*16] = + "I would like the General Gau's Chicken, please, and wonton soup."; +diff --git a/src/lib/crypto/crypto_tests/t_encrypt.c b/src/lib/crypto/crypto_tests/t_encrypt.c +index 290a72e1e0..83bc98a2f1 100644 +--- a/src/lib/crypto/crypto_tests/t_encrypt.c ++++ b/src/lib/crypto/crypto_tests/t_encrypt.c +@@ -87,7 +87,7 @@ display(const char *msg, const krb5_data *d) + } + + int +-main () ++main(void) + { + krb5_context context = 0; + krb5_data in, in2, out, out2, check, check2, state, signdata; +diff --git a/src/lib/crypto/crypto_tests/t_fork.c b/src/lib/crypto/crypto_tests/t_fork.c +index 428fc8a6a1..8be7474227 100644 +--- a/src/lib/crypto/crypto_tests/t_fork.c ++++ b/src/lib/crypto/crypto_tests/t_fork.c +@@ -55,7 +55,7 @@ prepare_enc_data(krb5_key key, size_t in_len, krb5_enc_data *enc_data) + } + + int +-main() ++main(void) + { + krb5_keyblock kb_aes, kb_rc4; + krb5_key key_aes, key_rc4; +diff --git a/src/lib/crypto/crypto_tests/t_hmac.c b/src/lib/crypto/crypto_tests/t_hmac.c +index da359cb494..e40136bff0 100644 +--- a/src/lib/crypto/crypto_tests/t_hmac.c ++++ b/src/lib/crypto/crypto_tests/t_hmac.c +@@ -122,7 +122,8 @@ static krb5_error_code hmac1(const struct krb5_hash_provider *h, + return err; + } + +-static void test_hmac() ++static void ++test_hmac(void) + { + krb5_keyblock key; + krb5_data in, out; +diff --git a/src/lib/crypto/crypto_tests/t_mddriver.c b/src/lib/crypto/crypto_tests/t_mddriver.c +index ad65d03156..035f825bbc 100644 +--- a/src/lib/crypto/crypto_tests/t_mddriver.c ++++ b/src/lib/crypto/crypto_tests/t_mddriver.c +@@ -111,9 +111,8 @@ struct md_test_entry md_test_suite[] = { + -t - runs time trial + -x - runs test script + */ +-int main (argc, argv) +- int argc; +- char *argv[]; ++int ++main(int argc, char *argv[]) + { + int i; + +@@ -128,10 +127,8 @@ int main (argc, argv) + return (0); + } + +-static void MDHash (bytes, len, count, out) +- char *bytes; +- size_t len, count; +- unsigned char *out; ++static void ++MDHash(char *bytes, size_t len, size_t count, unsigned char *out) + { + krb5_crypto_iov *iov; + krb5_data outdata = make_data (out, MDProvider.hashsize); +@@ -150,8 +147,8 @@ static void MDHash (bytes, len, count, out) + + /* Digests a string and prints the result. + */ +-static void MDString (string) +- char *string; ++static void ++MDString(char *string) + { + unsigned char digest[16]; + +@@ -164,7 +161,8 @@ static void MDString (string) + /* Measures the time to digest TEST_BLOCK_COUNT TEST_BLOCK_LEN-byte + blocks. + */ +-static void MDTimeTrial () ++static void ++MDTimeTrial(void) + { + time_t endTime, startTime; + unsigned char block[TEST_BLOCK_LEN], digest[16]; +@@ -197,7 +195,8 @@ static void MDTimeTrial () + + /* Digests a reference suite of strings and prints the results. + */ +-static void MDTestSuite () ++static void ++MDTestSuite(void) + { + #ifdef HAVE_TEST_SUITE + struct md_test_entry *entry; +@@ -246,8 +245,8 @@ static void MDTestSuite () + + /* Prints a message digest in hexadecimal. + */ +-static void MDPrint (digest) +- unsigned char digest[16]; ++static void ++MDPrint(unsigned char digest[16]) + { + unsigned int i; + +diff --git a/src/lib/crypto/crypto_tests/t_nfold.c b/src/lib/crypto/crypto_tests/t_nfold.c +index b94353c221..a741b61e0c 100644 +--- a/src/lib/crypto/crypto_tests/t_nfold.c ++++ b/src/lib/crypto/crypto_tests/t_nfold.c +@@ -33,17 +33,20 @@ + + #define ASIZE(ARRAY) (sizeof(ARRAY)/sizeof(ARRAY[0])) + +-static void printhex (size_t len, const unsigned char *p) ++static void ++printhex(size_t len, const unsigned char *p) + { + while (len--) + printf ("%02x", 0xff & *p++); + } + +-static void printstringhex (const unsigned char *p) { ++static void ++printstringhex(const unsigned char *p) { + printhex (strlen ((const char *) p), p); + } + +-static void rfc_tests () ++static void ++rfc_tests(void) + { + unsigned i; + struct { +@@ -92,7 +95,8 @@ static void rfc_tests () + } + } + +-static void fold_kerberos(unsigned int nbytes) ++static void ++fold_kerberos(unsigned int nbytes) + { + unsigned char cipher_text[300]; + unsigned int j; +@@ -125,9 +129,7 @@ unsigned char nfold_192[4][24] = { + }; + + int +-main(argc, argv) +- int argc; +- char *argv[]; ++main(int argc, char *argv[]) + { + unsigned char cipher_text[64]; + unsigned int i, j; +diff --git a/src/lib/crypto/crypto_tests/t_prf.c b/src/lib/crypto/crypto_tests/t_prf.c +index d9877bd1f7..6fa0afb183 100644 +--- a/src/lib/crypto/crypto_tests/t_prf.c ++++ b/src/lib/crypto/crypto_tests/t_prf.c +@@ -116,7 +116,7 @@ struct test { + }; + + int +-main() ++main(void) + { + krb5_error_code ret; + krb5_data output; +diff --git a/src/lib/crypto/crypto_tests/t_sha2.c b/src/lib/crypto/crypto_tests/t_sha2.c +index e6fa584982..776c4e964f 100644 +--- a/src/lib/crypto/crypto_tests/t_sha2.c ++++ b/src/lib/crypto/crypto_tests/t_sha2.c +@@ -137,7 +137,7 @@ hash_test(const struct krb5_hash_provider *hash, struct test *tests) + } + + int +-main() ++main(void) + { + hash_test(&krb5int_hash_sha256, sha256_tests); + hash_test(&krb5int_hash_sha384, sha384_tests); +diff --git a/src/lib/gssapi/generic/t_seqstate.c b/src/lib/gssapi/generic/t_seqstate.c +index 8f44fcf3ed..4df1ed6b9c 100644 +--- a/src/lib/gssapi/generic/t_seqstate.c ++++ b/src/lib/gssapi/generic/t_seqstate.c +@@ -164,7 +164,7 @@ struct test { + }; + + int +-main() ++main(void) + { + size_t i, j; + enum width w; +diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c +index d7c2ad321e..90a9ad2d9d 100644 +--- a/src/lib/gssapi/krb5/accept_sec_context.c ++++ b/src/lib/gssapi/krb5/accept_sec_context.c +@@ -160,11 +160,8 @@ create_constrained_deleg_creds(OM_uint32 *minor_status, + + /* Decode, decrypt and store the forwarded creds in the local ccache. */ + static krb5_error_code +-rd_and_store_for_creds(context, auth_context, inbuf, out_cred) +- krb5_context context; +- krb5_auth_context auth_context; +- krb5_data *inbuf; +- krb5_gss_cred_id_t *out_cred; ++rd_and_store_for_creds(krb5_context context, krb5_auth_context auth_context, ++ krb5_data *inbuf, krb5_gss_cred_id_t *out_cred) + { + krb5_creds ** creds = NULL; + krb5_error_code retval; +@@ -286,20 +283,12 @@ cleanup: + * Performs third leg of DCE authentication + */ + static OM_uint32 +-kg_accept_dce(minor_status, context_handle, verifier_cred_handle, +- input_token, input_chan_bindings, src_name, mech_type, +- output_token, ret_flags, time_rec, delegated_cred_handle) +- OM_uint32 *minor_status; +- gss_ctx_id_t *context_handle; +- gss_cred_id_t verifier_cred_handle; +- gss_buffer_t input_token; +- gss_channel_bindings_t input_chan_bindings; +- gss_name_t *src_name; +- gss_OID *mech_type; +- gss_buffer_t output_token; +- OM_uint32 *ret_flags; +- OM_uint32 *time_rec; +- gss_cred_id_t *delegated_cred_handle; ++kg_accept_dce(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, ++ gss_cred_id_t verifier_cred_handle, gss_buffer_t input_token, ++ gss_channel_bindings_t input_chan_bindings, gss_name_t *src_name, ++ gss_OID *mech_type, gss_buffer_t output_token, ++ OM_uint32 *ret_flags, OM_uint32 *time_rec, ++ gss_cred_id_t *delegated_cred_handle) + { + krb5_error_code code; + krb5_gss_ctx_id_rec *ctx = 0; +@@ -637,23 +626,13 @@ fail: + } + + static OM_uint32 +-kg_accept_krb5(minor_status, context_handle, +- verifier_cred_handle, input_token, +- input_chan_bindings, src_name, mech_type, +- output_token, ret_flags, time_rec, +- delegated_cred_handle, exts) +- OM_uint32 *minor_status; +- gss_ctx_id_t *context_handle; +- gss_cred_id_t verifier_cred_handle; +- gss_buffer_t input_token; +- gss_channel_bindings_t input_chan_bindings; +- gss_name_t *src_name; +- gss_OID *mech_type; +- gss_buffer_t output_token; +- OM_uint32 *ret_flags; +- OM_uint32 *time_rec; +- gss_cred_id_t *delegated_cred_handle; +- krb5_gss_ctx_ext_t exts; ++kg_accept_krb5(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, ++ gss_cred_id_t verifier_cred_handle, gss_buffer_t input_token, ++ gss_channel_bindings_t input_chan_bindings, ++ gss_name_t *src_name, gss_OID *mech_type, ++ gss_buffer_t output_token, OM_uint32 *ret_flags, ++ OM_uint32 *time_rec, gss_cred_id_t *delegated_cred_handle, ++ krb5_gss_ctx_ext_t exts) + { + krb5_context context; + unsigned char *ptr; +@@ -1309,22 +1288,15 @@ krb5_gss_accept_sec_context_ext( + } + + OM_uint32 KRB5_CALLCONV +-krb5_gss_accept_sec_context(minor_status, context_handle, +- verifier_cred_handle, input_token, +- input_chan_bindings, src_name, mech_type, +- output_token, ret_flags, time_rec, +- delegated_cred_handle) +- OM_uint32 *minor_status; +- gss_ctx_id_t *context_handle; +- gss_cred_id_t verifier_cred_handle; +- gss_buffer_t input_token; +- gss_channel_bindings_t input_chan_bindings; +- gss_name_t *src_name; +- gss_OID *mech_type; +- gss_buffer_t output_token; +- OM_uint32 *ret_flags; +- OM_uint32 *time_rec; +- gss_cred_id_t *delegated_cred_handle; ++krb5_gss_accept_sec_context(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_cred_id_t verifier_cred_handle, ++ gss_buffer_t input_token, ++ gss_channel_bindings_t input_chan_bindings, ++ gss_name_t *src_name, gss_OID *mech_type, ++ gss_buffer_t output_token, OM_uint32 *ret_flags, ++ OM_uint32 *time_rec, ++ gss_cred_id_t *delegated_cred_handle) + { + krb5_gss_ctx_ext_rec exts; + +diff --git a/src/lib/gssapi/krb5/compare_name.c b/src/lib/gssapi/krb5/compare_name.c +index 3f3788d2bf..3aa5a0d79f 100644 +--- a/src/lib/gssapi/krb5/compare_name.c ++++ b/src/lib/gssapi/krb5/compare_name.c +@@ -28,11 +28,8 @@ + #include "gssapiP_krb5.h" + + OM_uint32 KRB5_CALLCONV +-krb5_gss_compare_name(minor_status, name1, name2, name_equal) +- OM_uint32 *minor_status; +- gss_name_t name1; +- gss_name_t name2; +- int *name_equal; ++krb5_gss_compare_name(OM_uint32 *minor_status, gss_name_t name1, ++ gss_name_t name2, int *name_equal) + { + krb5_context context; + krb5_error_code code; +diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c +index 226de05f51..0ab885deca 100644 +--- a/src/lib/gssapi/krb5/context_time.c ++++ b/src/lib/gssapi/krb5/context_time.c +@@ -28,10 +28,8 @@ + */ + + OM_uint32 KRB5_CALLCONV +-krb5_gss_context_time(minor_status, context_handle, time_rec) +- OM_uint32 *minor_status; +- gss_ctx_id_t context_handle; +- OM_uint32 *time_rec; ++krb5_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ OM_uint32 *time_rec) + { + krb5_error_code code; + krb5_gss_ctx_id_rec *ctx; +diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c +index 4b9dfae0d5..92e84b79c5 100644 +--- a/src/lib/gssapi/krb5/delete_sec_context.c ++++ b/src/lib/gssapi/krb5/delete_sec_context.c +@@ -28,10 +28,9 @@ + */ + + OM_uint32 KRB5_CALLCONV +-krb5_gss_delete_sec_context(minor_status, context_handle, output_token) +- OM_uint32 *minor_status; +- gss_ctx_id_t *context_handle; +- gss_buffer_t output_token; ++krb5_gss_delete_sec_context(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_buffer_t output_token) + { + krb5_context context; + krb5_gss_ctx_id_rec *ctx; +diff --git a/src/lib/gssapi/krb5/disp_name.c b/src/lib/gssapi/krb5/disp_name.c +index b097bf0e21..75fef01238 100644 +--- a/src/lib/gssapi/krb5/disp_name.c ++++ b/src/lib/gssapi/krb5/disp_name.c +@@ -24,12 +24,9 @@ + #include "gssapiP_krb5.h" + + OM_uint32 KRB5_CALLCONV +-krb5_gss_display_name(minor_status, input_name, output_name_buffer, +- output_name_type) +- OM_uint32 *minor_status; +- gss_name_t input_name; +- gss_buffer_t output_name_buffer; +- gss_OID *output_name_type; ++krb5_gss_display_name(OM_uint32 *minor_status, gss_name_t input_name, ++ gss_buffer_t output_name_buffer, ++ gss_OID *output_name_type) + { + krb5_context context; + krb5_error_code code; +diff --git a/src/lib/gssapi/krb5/disp_status.c b/src/lib/gssapi/krb5/disp_status.c +index 6ff62a9d84..71000b7a45 100644 +--- a/src/lib/gssapi/krb5/disp_status.c ++++ b/src/lib/gssapi/krb5/disp_status.c +@@ -154,14 +154,9 @@ void krb5_gss_delete_error_info(void *p) + /**/ + + OM_uint32 KRB5_CALLCONV +-krb5_gss_display_status(minor_status, status_value, status_type, +- mech_type, message_context, status_string) +- OM_uint32 *minor_status; +- OM_uint32 status_value; +- int status_type; +- gss_OID mech_type; +- OM_uint32 *message_context; +- gss_buffer_t status_string; ++krb5_gss_display_status(OM_uint32 *minor_status, OM_uint32 status_value, ++ int status_type, gss_OID mech_type, ++ OM_uint32 *message_context, gss_buffer_t status_string) + { + status_string->length = 0; + status_string->value = NULL; +diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c +index 44e50080ab..9730e0597f 100644 +--- a/src/lib/gssapi/krb5/export_sec_context.c ++++ b/src/lib/gssapi/krb5/export_sec_context.c +@@ -27,10 +27,9 @@ + #include "gssapiP_krb5.h" + #ifndef LEAN_CLIENT + OM_uint32 KRB5_CALLCONV +-krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) +- OM_uint32 *minor_status; +- gss_ctx_id_t *context_handle; +- gss_buffer_t interprocess_token; ++krb5_gss_export_sec_context(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_buffer_t interprocess_token) + { + krb5_context context = NULL; + krb5_error_code kret; +diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c +index 1e62b07cde..370b7d152a 100644 +--- a/src/lib/gssapi/krb5/gssapi_krb5.c ++++ b/src/lib/gssapi/krb5/gssapi_krb5.c +@@ -197,9 +197,7 @@ g_set kg_vdb = G_SET_INIT; + * so handling the expiration/invalidation condition here isn't needed. + */ + OM_uint32 +-kg_get_defcred(minor_status, cred) +- OM_uint32 *minor_status; +- gss_cred_id_t *cred; ++kg_get_defcred(OM_uint32 *minor_status, gss_cred_id_t *cred) + { + OM_uint32 major; + +diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c +index f64635a202..cc6883b5fe 100644 +--- a/src/lib/gssapi/krb5/import_name.c ++++ b/src/lib/gssapi/krb5/import_name.c +@@ -120,12 +120,8 @@ parse_hostbased(const char *str, size_t len, + } + + OM_uint32 KRB5_CALLCONV +-krb5_gss_import_name(minor_status, input_name_buffer, +- input_name_type, output_name) +- OM_uint32 *minor_status; +- gss_buffer_t input_name_buffer; +- gss_OID input_name_type; +- gss_name_t *output_name; ++krb5_gss_import_name(OM_uint32 *minor_status, gss_buffer_t input_name_buffer, ++ gss_OID input_name_type, gss_name_t *output_name) + { + krb5_context context; + krb5_principal princ = NULL; +diff --git a/src/lib/gssapi/krb5/import_sec_context.c b/src/lib/gssapi/krb5/import_sec_context.c +index 7d26f4df87..e39c036b80 100644 +--- a/src/lib/gssapi/krb5/import_sec_context.c ++++ b/src/lib/gssapi/krb5/import_sec_context.c +@@ -32,8 +32,7 @@ + * Fix up the OID of the mechanism so that uses the static version of + * the OID if possible. + */ +-gss_OID krb5_gss_convert_static_mech_oid(oid) +- gss_OID oid; ++gss_OID krb5_gss_convert_static_mech_oid(gss_OID oid) + { + const gss_OID_desc *p; + OM_uint32 minor_status; +@@ -49,10 +48,9 @@ gss_OID krb5_gss_convert_static_mech_oid(oid) + } + + OM_uint32 KRB5_CALLCONV +-krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle) +- OM_uint32 *minor_status; +- gss_buffer_t interprocess_token; +- gss_ctx_id_t *context_handle; ++krb5_gss_import_sec_context(OM_uint32 *minor_status, ++ gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle) + { + krb5_context context; + krb5_error_code kret = 0; +diff --git a/src/lib/gssapi/krb5/indicate_mechs.c b/src/lib/gssapi/krb5/indicate_mechs.c +index 45538cb779..49d55e6217 100644 +--- a/src/lib/gssapi/krb5/indicate_mechs.c ++++ b/src/lib/gssapi/krb5/indicate_mechs.c +@@ -29,9 +29,7 @@ + #include "mglueP.h" + + OM_uint32 KRB5_CALLCONV +-krb5_gss_indicate_mechs(minor_status, mech_set) +- OM_uint32 *minor_status; +- gss_OID_set *mech_set; ++krb5_gss_indicate_mechs(OM_uint32 *minor_status, gss_OID_set *mech_set) + { + return generic_gss_copy_oid_set(minor_status, kg_all_mechs, mech_set); + } +diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c +index 5748b8434c..0397fe1dfd 100644 +--- a/src/lib/gssapi/krb5/init_sec_context.c ++++ b/src/lib/gssapi/krb5/init_sec_context.c +@@ -117,14 +117,10 @@ int krb5_gss_dbg_client_expcreds = 0; + * Common code which fetches the correct krb5 credentials from the + * ccache. + */ +-static krb5_error_code get_credentials(context, cred, server, now, +- endtime, out_creds) +- krb5_context context; +- krb5_gss_cred_id_t cred; +- krb5_gss_name_t server; +- krb5_timestamp now; +- krb5_timestamp endtime; +- krb5_creds **out_creds; ++static krb5_error_code ++get_credentials(krb5_context context, krb5_gss_cred_id_t cred, ++ krb5_gss_name_t server, krb5_timestamp now, ++ krb5_timestamp endtime, krb5_creds **out_creds) + { + krb5_error_code code; + krb5_creds in_creds, evidence_creds, mcreds, *result_creds = NULL; +@@ -365,17 +361,11 @@ cleanup: + } + + static krb5_error_code +-make_ap_req_v1(context, ctx, cred, k_cred, ad_context, +- chan_bindings, mech_type, token, exts) +- krb5_context context; +- krb5_gss_ctx_id_rec *ctx; +- krb5_gss_cred_id_t cred; +- krb5_creds *k_cred; +- krb5_authdata_context ad_context; +- gss_channel_bindings_t chan_bindings; +- gss_OID mech_type; +- gss_buffer_t token; +- krb5_gss_ctx_ext_t exts; ++make_ap_req_v1(krb5_context context, krb5_gss_ctx_id_rec *ctx, ++ krb5_gss_cred_id_t cred, krb5_creds *k_cred, ++ krb5_authdata_context ad_context, ++ gss_channel_bindings_t chan_bindings, gss_OID mech_type, ++ gss_buffer_t token, krb5_gss_ctx_ext_t exts) + { + krb5_flags mk_req_flags = 0; + krb5_error_code code; +@@ -1048,24 +1038,15 @@ krb5int_gss_use_kdc_context(OM_uint32 *minor_status, + #endif + + OM_uint32 KRB5_CALLCONV +-krb5_gss_init_sec_context(minor_status, claimant_cred_handle, +- context_handle, target_name, mech_type, +- req_flags, time_req, input_chan_bindings, +- input_token, actual_mech_type, output_token, +- ret_flags, time_rec) +- OM_uint32 *minor_status; +- gss_cred_id_t claimant_cred_handle; +- gss_ctx_id_t *context_handle; +- gss_name_t target_name; +- gss_OID mech_type; +- OM_uint32 req_flags; +- OM_uint32 time_req; +- gss_channel_bindings_t input_chan_bindings; +- gss_buffer_t input_token; +- gss_OID *actual_mech_type; +- gss_buffer_t output_token; +- OM_uint32 *ret_flags; +- OM_uint32 *time_rec; ++krb5_gss_init_sec_context(OM_uint32 *minor_status, ++ gss_cred_id_t claimant_cred_handle, ++ gss_ctx_id_t *context_handle, ++ gss_name_t target_name, gss_OID mech_type, ++ OM_uint32 req_flags, OM_uint32 time_req, ++ gss_channel_bindings_t input_chan_bindings, ++ gss_buffer_t input_token, gss_OID *actual_mech_type, ++ gss_buffer_t output_token, OM_uint32 *ret_flags, ++ OM_uint32 *time_rec) + { + krb5_gss_ctx_ext_rec exts; + +diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c +index 97678e3ec5..f8229f9750 100644 +--- a/src/lib/gssapi/krb5/inq_context.c ++++ b/src/lib/gssapi/krb5/inq_context.c +@@ -78,18 +78,11 @@ + #include "gssapiP_krb5.h" + + OM_uint32 KRB5_CALLCONV +-krb5_gss_inquire_context(minor_status, context_handle, initiator_name, +- acceptor_name, lifetime_rec, mech_type, ret_flags, +- locally_initiated, opened) +- OM_uint32 *minor_status; +- gss_ctx_id_t context_handle; +- gss_name_t *initiator_name; +- gss_name_t *acceptor_name; +- OM_uint32 *lifetime_rec; +- gss_OID *mech_type; +- OM_uint32 *ret_flags; +- int *locally_initiated; +- int *opened; ++krb5_gss_inquire_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_name_t *initiator_name, gss_name_t *acceptor_name, ++ OM_uint32 *lifetime_rec, gss_OID *mech_type, ++ OM_uint32 *ret_flags, int *locally_initiated, ++ int *opened) + { + krb5_context context; + krb5_error_code code; +diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c +index 0e675959a3..e968f8ad32 100644 +--- a/src/lib/gssapi/krb5/inq_cred.c ++++ b/src/lib/gssapi/krb5/inq_cred.c +@@ -73,14 +73,9 @@ + #include "gssapiP_krb5.h" + + OM_uint32 KRB5_CALLCONV +-krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, +- cred_usage, mechanisms) +- OM_uint32 *minor_status; +- gss_cred_id_t cred_handle; +- gss_name_t *name; +- OM_uint32 *lifetime_ret; +- gss_cred_usage_t *cred_usage; +- gss_OID_set *mechanisms; ++krb5_gss_inquire_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle, ++ gss_name_t *name, OM_uint32 *lifetime_ret, ++ gss_cred_usage_t *cred_usage, gss_OID_set *mechanisms) + { + krb5_context context; + gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL; +@@ -209,16 +204,11 @@ cleanup: + + /* V2 interface */ + OM_uint32 KRB5_CALLCONV +-krb5_gss_inquire_cred_by_mech(minor_status, cred_handle, +- mech_type, name, initiator_lifetime, +- acceptor_lifetime, cred_usage) +- OM_uint32 *minor_status; +- gss_cred_id_t cred_handle; +- gss_OID mech_type; +- gss_name_t *name; +- OM_uint32 *initiator_lifetime; +- OM_uint32 *acceptor_lifetime; +- gss_cred_usage_t *cred_usage; ++krb5_gss_inquire_cred_by_mech(OM_uint32 *minor_status, ++ gss_cred_id_t cred_handle, gss_OID mech_type, ++ gss_name_t *name, OM_uint32 *initiator_lifetime, ++ OM_uint32 *acceptor_lifetime, ++ gss_cred_usage_t *cred_usage) + { + krb5_gss_cred_id_t cred; + OM_uint32 lifetime; +diff --git a/src/lib/gssapi/krb5/inq_names.c b/src/lib/gssapi/krb5/inq_names.c +index b326adbb5f..4a3709be4b 100644 +--- a/src/lib/gssapi/krb5/inq_names.c ++++ b/src/lib/gssapi/krb5/inq_names.c +@@ -27,10 +27,8 @@ + #include "gssapiP_krb5.h" + + OM_uint32 KRB5_CALLCONV +-krb5_gss_inquire_names_for_mech(minor_status, mechanism, name_types) +- OM_uint32 *minor_status; +- gss_OID mechanism; +- gss_OID_set *name_types; ++krb5_gss_inquire_names_for_mech(OM_uint32 *minor_status, gss_OID mechanism, ++ gss_OID_set *name_types) + { + OM_uint32 major, minor; + +diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c +index 0e5d10b115..1148f6929b 100644 +--- a/src/lib/gssapi/krb5/k5seal.c ++++ b/src/lib/gssapi/krb5/k5seal.c +@@ -271,16 +271,10 @@ make_seal_token_v1 (krb5_context context, + and do not encode the ENC_TYPE, MSG_LENGTH, or MSG_TEXT fields */ + + OM_uint32 +-kg_seal(minor_status, context_handle, conf_req_flag, qop_req, +- input_message_buffer, conf_state, output_message_buffer, toktype) +- OM_uint32 *minor_status; +- gss_ctx_id_t context_handle; +- int conf_req_flag; +- gss_qop_t qop_req; +- gss_buffer_t input_message_buffer; +- int *conf_state; +- gss_buffer_t output_message_buffer; +- int toktype; ++kg_seal(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, ++ gss_buffer_t input_message_buffer, int *conf_state, ++ gss_buffer_t output_message_buffer, int toktype) + { + krb5_gss_ctx_id_rec *ctx; + krb5_error_code code; +@@ -342,16 +336,10 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, + } + + OM_uint32 KRB5_CALLCONV +-krb5_gss_wrap(minor_status, context_handle, conf_req_flag, +- qop_req, input_message_buffer, conf_state, +- output_message_buffer) +- OM_uint32 *minor_status; +- gss_ctx_id_t context_handle; +- int conf_req_flag; +- gss_qop_t qop_req; +- gss_buffer_t input_message_buffer; +- int *conf_state; +- gss_buffer_t output_message_buffer; ++krb5_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, ++ gss_buffer_t input_message_buffer, int *conf_state, ++ gss_buffer_t output_message_buffer) + { + return(kg_seal(minor_status, context_handle, conf_req_flag, + qop_req, input_message_buffer, conf_state, +@@ -359,13 +347,9 @@ krb5_gss_wrap(minor_status, context_handle, conf_req_flag, + } + + OM_uint32 KRB5_CALLCONV +-krb5_gss_get_mic(minor_status, context_handle, qop_req, +- message_buffer, message_token) +- OM_uint32 *minor_status; +- gss_ctx_id_t context_handle; +- gss_qop_t qop_req; +- gss_buffer_t message_buffer; +- gss_buffer_t message_token; ++krb5_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_buffer_t message_buffer, ++ gss_buffer_t message_token) + { + return(kg_seal(minor_status, context_handle, 0, + qop_req, message_buffer, NULL, +diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c +index f0cc4a6809..e246365804 100644 +--- a/src/lib/gssapi/krb5/k5unseal.c ++++ b/src/lib/gssapi/krb5/k5unseal.c +@@ -58,17 +58,10 @@ + conf_state is only valid if SEAL. */ + + static OM_uint32 +-kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, +- conf_state, qop_state, toktype) +- krb5_context context; +- OM_uint32 *minor_status; +- krb5_gss_ctx_id_rec *ctx; +- unsigned char *ptr; +- int bodysize; +- gss_buffer_t message_buffer; +- int *conf_state; +- gss_qop_t *qop_state; +- int toktype; ++kg_unseal_v1(krb5_context context, OM_uint32 *minor_status, ++ krb5_gss_ctx_id_rec *ctx, unsigned char *ptr, int bodysize, ++ gss_buffer_t message_buffer, int *conf_state, ++ gss_qop_t *qop_state, int toktype) + { + krb5_error_code code; + int conflen = 0; +@@ -342,15 +335,9 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, + conf_state is only valid if SEAL. */ + + OM_uint32 +-kg_unseal(minor_status, context_handle, input_token_buffer, +- message_buffer, conf_state, qop_state, toktype) +- OM_uint32 *minor_status; +- gss_ctx_id_t context_handle; +- gss_buffer_t input_token_buffer; +- gss_buffer_t message_buffer; +- int *conf_state; +- gss_qop_t *qop_state; +- int toktype; ++kg_unseal(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_token_buffer, gss_buffer_t message_buffer, ++ int *conf_state, gss_qop_t *qop_state, int toktype) + { + krb5_gss_ctx_id_rec *ctx; + unsigned char *ptr; +@@ -421,15 +408,10 @@ kg_unseal(minor_status, context_handle, input_token_buffer, + } + + OM_uint32 KRB5_CALLCONV +-krb5_gss_unwrap(minor_status, context_handle, +- input_message_buffer, output_message_buffer, +- conf_state, qop_state) +- OM_uint32 *minor_status; +- gss_ctx_id_t context_handle; +- gss_buffer_t input_message_buffer; +- gss_buffer_t output_message_buffer; +- int *conf_state; +- gss_qop_t *qop_state; ++krb5_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_message_buffer, ++ gss_buffer_t output_message_buffer, int *conf_state, ++ gss_qop_t *qop_state) + { + OM_uint32 rstat; + +@@ -440,14 +422,9 @@ krb5_gss_unwrap(minor_status, context_handle, + } + + OM_uint32 KRB5_CALLCONV +-krb5_gss_verify_mic(minor_status, context_handle, +- message_buffer, token_buffer, +- qop_state) +- OM_uint32 *minor_status; +- gss_ctx_id_t context_handle; +- gss_buffer_t message_buffer; +- gss_buffer_t token_buffer; +- gss_qop_t *qop_state; ++krb5_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t message_buffer, gss_buffer_t token_buffer, ++ gss_qop_t *qop_state) + { + OM_uint32 rstat; + +diff --git a/src/lib/gssapi/krb5/process_context_token.c b/src/lib/gssapi/krb5/process_context_token.c +index a672f48c85..67805fba78 100644 +--- a/src/lib/gssapi/krb5/process_context_token.c ++++ b/src/lib/gssapi/krb5/process_context_token.c +@@ -28,11 +28,9 @@ + */ + + OM_uint32 KRB5_CALLCONV +-krb5_gss_process_context_token(minor_status, context_handle, +- token_buffer) +- OM_uint32 *minor_status; +- gss_ctx_id_t context_handle; +- gss_buffer_t token_buffer; ++krb5_gss_process_context_token(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, ++ gss_buffer_t token_buffer) + { + krb5_gss_ctx_id_rec *ctx; + OM_uint32 majerr; +diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c +index 0da6c1b950..9e04e2fa81 100644 +--- a/src/lib/gssapi/krb5/rel_cred.c ++++ b/src/lib/gssapi/krb5/rel_cred.c +@@ -24,9 +24,7 @@ + #include "gssapiP_krb5.h" + + OM_uint32 KRB5_CALLCONV +-krb5_gss_release_cred(minor_status, cred_handle) +- OM_uint32 *minor_status; +- gss_cred_id_t *cred_handle; ++krb5_gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) + { + krb5_context context; + krb5_gss_cred_id_t cred; +diff --git a/src/lib/gssapi/krb5/rel_name.c b/src/lib/gssapi/krb5/rel_name.c +index 3dabe32f33..558bb6dbc5 100644 +--- a/src/lib/gssapi/krb5/rel_name.c ++++ b/src/lib/gssapi/krb5/rel_name.c +@@ -24,9 +24,7 @@ + #include "gssapiP_krb5.h" + + OM_uint32 KRB5_CALLCONV +-krb5_gss_release_name(minor_status, input_name) +- OM_uint32 *minor_status; +- gss_name_t *input_name; ++krb5_gss_release_name(OM_uint32 *minor_status, gss_name_t *input_name) + { + krb5_context context; + krb5_error_code code; +diff --git a/src/lib/gssapi/krb5/rel_oid.c b/src/lib/gssapi/krb5/rel_oid.c +index 739efe4680..900c4105f9 100644 +--- a/src/lib/gssapi/krb5/rel_oid.c ++++ b/src/lib/gssapi/krb5/rel_oid.c +@@ -27,9 +27,7 @@ + #include "gssapiP_krb5.h" + + OM_uint32 +-krb5_gss_release_oid(minor_status, oid) +- OM_uint32 *minor_status; +- gss_OID *oid; ++krb5_gss_release_oid(OM_uint32 *minor_status, gss_OID *oid) + { + /* + * The V2 API says the following! +@@ -52,9 +50,7 @@ krb5_gss_release_oid(minor_status, oid) + } + + OM_uint32 KRB5_CALLCONV +-krb5_gss_internal_release_oid(minor_status, oid) +- OM_uint32 *minor_status; +- gss_OID *oid; ++krb5_gss_internal_release_oid(OM_uint32 *minor_status, gss_OID *oid) + { + /* + * This function only knows how to release internal OIDs. It will +diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c +index 9e2d32e98d..1129b6a1aa 100644 +--- a/src/lib/gssapi/krb5/ser_sctx.c ++++ b/src/lib/gssapi/krb5/ser_sctx.c +@@ -137,10 +137,8 @@ kg_oid_size(gss_OID oid, size_t *sizep) + } + + static krb5_error_code +-kg_seqstate_externalize(arg, buffer, lenremain) +- g_seqnum_state arg; +- krb5_octet **buffer; +- size_t *lenremain; ++kg_seqstate_externalize(g_seqnum_state arg, krb5_octet **buffer, ++ size_t *lenremain) + { + krb5_error_code err; + err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); +@@ -152,10 +150,8 @@ kg_seqstate_externalize(arg, buffer, lenremain) + } + + static krb5_error_code +-kg_seqstate_internalize(argp, buffer, lenremain) +- g_seqnum_state *argp; +- krb5_octet **buffer; +- size_t *lenremain; ++kg_seqstate_internalize(g_seqnum_state *argp, krb5_octet **buffer, ++ size_t *lenremain) + { + krb5_int32 ibuf; + krb5_octet *bp; +@@ -193,9 +189,7 @@ kg_seqstate_internalize(argp, buffer, lenremain) + } + + static krb5_error_code +-kg_seqstate_size(arg, sizep) +- g_seqnum_state arg; +- size_t *sizep; ++kg_seqstate_size(g_seqnum_state arg, size_t *sizep) + { + krb5_error_code kret; + size_t required; +diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c +index 5b87956393..5f7694f5e6 100644 +--- a/src/lib/gssapi/krb5/util_cksum.c ++++ b/src/lib/gssapi/krb5/util_cksum.c +@@ -28,10 +28,8 @@ + + /* Checksumming the channel bindings always uses plain MD5. */ + krb5_error_code +-kg_checksum_channel_bindings(context, cb, cksum) +- krb5_context context; +- gss_channel_bindings_t cb; +- krb5_checksum *cksum; ++kg_checksum_channel_bindings(krb5_context context, gss_channel_bindings_t cb, ++ krb5_checksum *cksum) + { + struct k5buf buf; + size_t sumlen; +diff --git a/src/lib/gssapi/krb5/util_seed.c b/src/lib/gssapi/krb5/util_seed.c +index 6e1c9ac8ae..685736314c 100644 +--- a/src/lib/gssapi/krb5/util_seed.c ++++ b/src/lib/gssapi/krb5/util_seed.c +@@ -29,10 +29,7 @@ + static const unsigned char zeros[16] = {0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0}; + + krb5_error_code +-kg_make_seed(context, key, seed) +- krb5_context context; +- krb5_key key; +- unsigned char *seed; ++kg_make_seed(krb5_context context, krb5_key key, unsigned char *seed) + { + krb5_error_code code; + krb5_key rkey = NULL; +diff --git a/src/lib/gssapi/krb5/util_seqnum.c b/src/lib/gssapi/krb5/util_seqnum.c +index bef631da9d..a5a4d5cf80 100644 +--- a/src/lib/gssapi/krb5/util_seqnum.c ++++ b/src/lib/gssapi/krb5/util_seqnum.c +@@ -30,13 +30,8 @@ + */ + + krb5_error_code +-kg_make_seq_num(context, key, direction, seqnum, cksum, buf) +- krb5_context context; +- krb5_key key; +- int direction; +- krb5_ui_4 seqnum; +- unsigned char *cksum; +- unsigned char *buf; ++kg_make_seq_num(krb5_context context, krb5_key key, int direction, ++ krb5_ui_4 seqnum, unsigned char *cksum, unsigned char *buf) + { + unsigned char plain[8]; + +@@ -59,13 +54,9 @@ kg_make_seq_num(context, key, direction, seqnum, cksum, buf) + return(kg_encrypt(context, key, KG_USAGE_SEQ, cksum, plain, buf, 8)); + } + +-krb5_error_code kg_get_seq_num(context, key, cksum, buf, direction, seqnum) +- krb5_context context; +- krb5_key key; +- unsigned char *cksum; +- unsigned char *buf; +- int *direction; +- krb5_ui_4 *seqnum; ++krb5_error_code ++kg_get_seq_num(krb5_context context, krb5_key key, unsigned char *cksum, ++ unsigned char *buf, int *direction, krb5_ui_4 *seqnum) + { + krb5_error_code code; + unsigned char plain[8]; +diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c +index cb1cb9393a..83e7634106 100644 +--- a/src/lib/gssapi/krb5/val_cred.c ++++ b/src/lib/gssapi/krb5/val_cred.c +@@ -57,9 +57,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle, + } + + OM_uint32 +-krb5_gss_validate_cred(minor_status, cred_handle) +- OM_uint32 *minor_status; +- gss_cred_id_t cred_handle; ++krb5_gss_validate_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle) + { + krb5_context context; + krb5_error_code code; +diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c +index 7959f424ec..8ea6ce1ad3 100644 +--- a/src/lib/gssapi/krb5/wrap_size_limit.c ++++ b/src/lib/gssapi/krb5/wrap_size_limit.c +@@ -74,14 +74,9 @@ + + /* V2 interface */ + OM_uint32 KRB5_CALLCONV +-krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, +- qop_req, req_output_size, max_input_size) +- OM_uint32 *minor_status; +- gss_ctx_id_t context_handle; +- int conf_req_flag; +- gss_qop_t qop_req; +- OM_uint32 req_output_size; +- OM_uint32 *max_input_size; ++krb5_gss_wrap_size_limit(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, ++ OM_uint32 req_output_size, OM_uint32 *max_input_size) + { + krb5_gss_ctx_id_rec *ctx; + OM_uint32 data_size, conflen; +diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c +index 4f2a66e26a..e4eff1f52c 100644 +--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c ++++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c +@@ -128,30 +128,13 @@ allow_mech_by_default(gss_OID mech) + } + + OM_uint32 KRB5_CALLCONV +-gss_accept_sec_context (minor_status, +- context_handle, +- verifier_cred_handle, +- input_token_buffer, +- input_chan_bindings, +- src_name, +- mech_type, +- output_token, +- ret_flags, +- time_rec, +- d_cred) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t * context_handle; +-gss_cred_id_t verifier_cred_handle; +-gss_buffer_t input_token_buffer; +-gss_channel_bindings_t input_chan_bindings; +-gss_name_t * src_name; +-gss_OID * mech_type; +-gss_buffer_t output_token; +-OM_uint32 * ret_flags; +-OM_uint32 * time_rec; +-gss_cred_id_t * d_cred; +- ++gss_accept_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, ++ gss_cred_id_t verifier_cred_handle, ++ gss_buffer_t input_token_buffer, ++ gss_channel_bindings_t input_chan_bindings, ++ gss_name_t *src_name, gss_OID *mech_type, ++ gss_buffer_t output_token, OM_uint32 *ret_flags, ++ OM_uint32 *time_rec, gss_cred_id_t *d_cred) + { + OM_uint32 status, temp_status, temp_minor_status; + OM_uint32 temp_ret_flags = 0; +diff --git a/src/lib/gssapi/mechglue/g_acquire_cred.c b/src/lib/gssapi/mechglue/g_acquire_cred.c +index c885f56279..2fc9c5c786 100644 +--- a/src/lib/gssapi/mechglue/g_acquire_cred.c ++++ b/src/lib/gssapi/mechglue/g_acquire_cred.c +@@ -85,24 +85,10 @@ val_acq_cred_args( + + + OM_uint32 KRB5_CALLCONV +-gss_acquire_cred(minor_status, +- desired_name, +- time_req, +- desired_mechs, +- cred_usage, +- output_cred_handle, +- actual_mechs, +- time_rec) +- +-OM_uint32 * minor_status; +-gss_name_t desired_name; +-OM_uint32 time_req; +-gss_OID_set desired_mechs; +-int cred_usage; +-gss_cred_id_t * output_cred_handle; +-gss_OID_set * actual_mechs; +-OM_uint32 * time_rec; +- ++gss_acquire_cred(OM_uint32 *minor_status, gss_name_t desired_name, ++ OM_uint32 time_req, gss_OID_set desired_mechs, ++ int cred_usage, gss_cred_id_t *output_cred_handle, ++ gss_OID_set *actual_mechs, OM_uint32 *time_rec) + { + return gss_acquire_cred_from(minor_status, desired_name, time_req, + desired_mechs, cred_usage, NULL, +@@ -110,26 +96,11 @@ OM_uint32 * time_rec; + } + + OM_uint32 KRB5_CALLCONV +-gss_acquire_cred_from(minor_status, +- desired_name, +- time_req, +- desired_mechs, +- cred_usage, +- cred_store, +- output_cred_handle, +- actual_mechs, +- time_rec) +- +-OM_uint32 * minor_status; +-gss_name_t desired_name; +-OM_uint32 time_req; +-gss_OID_set desired_mechs; +-int cred_usage; +-gss_const_key_value_set_t cred_store; +-gss_cred_id_t * output_cred_handle; +-gss_OID_set * actual_mechs; +-OM_uint32 * time_rec; +- ++gss_acquire_cred_from(OM_uint32 * minor_status, gss_name_t desired_name, ++ OM_uint32 time_req, gss_OID_set desired_mechs, ++ int cred_usage, gss_const_key_value_set_t cred_store, ++ gss_cred_id_t *output_cred_handle, ++ gss_OID_set *actual_mechs, OM_uint32 *time_rec) + { + OM_uint32 major = GSS_S_FAILURE, tmpMinor; + OM_uint32 first_major = GSS_S_COMPLETE, first_minor = 0; +@@ -397,22 +368,12 @@ error: + + /* V2 KRB5_CALLCONV */ + OM_uint32 KRB5_CALLCONV +-gss_add_cred(minor_status, input_cred_handle, +- desired_name, desired_mech, cred_usage, +- initiator_time_req, acceptor_time_req, +- output_cred_handle, actual_mechs, +- initiator_time_rec, acceptor_time_rec) +- OM_uint32 *minor_status; +- gss_cred_id_t input_cred_handle; +- gss_name_t desired_name; +- gss_OID desired_mech; +- gss_cred_usage_t cred_usage; +- OM_uint32 initiator_time_req; +- OM_uint32 acceptor_time_req; +- gss_cred_id_t *output_cred_handle; +- gss_OID_set *actual_mechs; +- OM_uint32 *initiator_time_rec; +- OM_uint32 *acceptor_time_rec; ++gss_add_cred(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, ++ gss_name_t desired_name, gss_OID desired_mech, ++ gss_cred_usage_t cred_usage, OM_uint32 initiator_time_req, ++ OM_uint32 acceptor_time_req, gss_cred_id_t *output_cred_handle, ++ gss_OID_set *actual_mechs, OM_uint32 *initiator_time_rec, ++ OM_uint32 *acceptor_time_rec) + { + return gss_add_cred_from(minor_status, input_cred_handle, desired_name, + desired_mech, cred_usage, initiator_time_req, +@@ -422,25 +383,13 @@ gss_add_cred(minor_status, input_cred_handle, + } + + OM_uint32 KRB5_CALLCONV +-gss_add_cred_from(minor_status, input_cred_handle, +- desired_name, desired_mech, +- cred_usage, +- initiator_time_req, acceptor_time_req, +- cred_store, +- output_cred_handle, actual_mechs, +- initiator_time_rec, acceptor_time_rec) +- OM_uint32 *minor_status; +- gss_cred_id_t input_cred_handle; +- gss_name_t desired_name; +- gss_OID desired_mech; +- gss_cred_usage_t cred_usage; +- OM_uint32 initiator_time_req; +- OM_uint32 acceptor_time_req; +- gss_const_key_value_set_t cred_store; +- gss_cred_id_t *output_cred_handle; +- gss_OID_set *actual_mechs; +- OM_uint32 *initiator_time_rec; +- OM_uint32 *acceptor_time_rec; ++gss_add_cred_from(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, ++ gss_name_t desired_name, gss_OID desired_mech, ++ gss_cred_usage_t cred_usage, OM_uint32 initiator_time_req, ++ OM_uint32 acceptor_time_req, ++ gss_const_key_value_set_t cred_store, ++ gss_cred_id_t *output_cred_handle, gss_OID_set *actual_mechs, ++ OM_uint32 *initiator_time_rec, OM_uint32 *acceptor_time_rec) + { + OM_uint32 status, temp_minor_status; + OM_uint32 time_req, time_rec = 0, *time_recp = NULL; +diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_with_pw.c b/src/lib/gssapi/mechglue/g_acquire_cred_with_pw.c +index cc34acc2bf..86abf984dc 100644 +--- a/src/lib/gssapi/mechglue/g_acquire_cred_with_pw.c ++++ b/src/lib/gssapi/mechglue/g_acquire_cred_with_pw.c +@@ -98,26 +98,12 @@ val_acq_cred_pw_args( + + + OM_uint32 KRB5_CALLCONV +-gss_acquire_cred_with_password( +- minor_status, +- desired_name, +- password, +- time_req, +- desired_mechs, +- cred_usage, +- output_cred_handle, +- actual_mechs, +- time_rec) +- +-OM_uint32 * minor_status; +-const gss_name_t desired_name; +-const gss_buffer_t password; +-OM_uint32 time_req; +-const gss_OID_set desired_mechs; +-int cred_usage; +-gss_cred_id_t * output_cred_handle; +-gss_OID_set * actual_mechs; +-OM_uint32 * time_rec; ++gss_acquire_cred_with_password(OM_uint32 *minor_status, ++ const gss_name_t desired_name, ++ const gss_buffer_t password, OM_uint32 time_req, ++ const gss_OID_set desired_mechs, int cred_usage, ++ gss_cred_id_t *output_cred_handle, ++ gss_OID_set *actual_mechs, OM_uint32 *time_rec) + { + OM_uint32 major = GSS_S_FAILURE; + OM_uint32 initTimeOut, acceptTimeOut, outTime = GSS_C_INDEFINITE; +@@ -306,23 +292,19 @@ val_add_cred_pw_args( + + /* V2 KRB5_CALLCONV */ + OM_uint32 KRB5_CALLCONV +-gss_add_cred_with_password(minor_status, input_cred_handle, +- desired_name, desired_mech, password, cred_usage, +- initiator_time_req, acceptor_time_req, +- output_cred_handle, actual_mechs, +- initiator_time_rec, acceptor_time_rec) +- OM_uint32 *minor_status; +- const gss_cred_id_t input_cred_handle; +- const gss_name_t desired_name; +- const gss_OID desired_mech; +- const gss_buffer_t password; +- gss_cred_usage_t cred_usage; +- OM_uint32 initiator_time_req; +- OM_uint32 acceptor_time_req; +- gss_cred_id_t *output_cred_handle; +- gss_OID_set *actual_mechs; +- OM_uint32 *initiator_time_rec; +- OM_uint32 *acceptor_time_rec; ++gss_add_cred_with_password( ++ OM_uint32 *minor_status, ++ const gss_cred_id_t input_cred_handle, ++ const gss_name_t desired_name, ++ const gss_OID desired_mech, ++ const gss_buffer_t password, ++ gss_cred_usage_t cred_usage, ++ OM_uint32 initiator_time_req, ++ OM_uint32 acceptor_time_req, ++ gss_cred_id_t *output_cred_handle, ++ gss_OID_set *actual_mechs, ++ OM_uint32 *initiator_time_rec, ++ OM_uint32 *acceptor_time_rec) + { + OM_uint32 status, temp_minor_status; + OM_uint32 time_req, time_rec; +diff --git a/src/lib/gssapi/mechglue/g_canon_name.c b/src/lib/gssapi/mechglue/g_canon_name.c +index 61f657f91f..c5214db80a 100644 +--- a/src/lib/gssapi/mechglue/g_canon_name.c ++++ b/src/lib/gssapi/mechglue/g_canon_name.c +@@ -54,14 +54,8 @@ val_canon_name_args( + + + OM_uint32 KRB5_CALLCONV +-gss_canonicalize_name(minor_status, +- input_name, +- mech_type, +- output_name) +-OM_uint32 *minor_status; +-const gss_name_t input_name; +-const gss_OID mech_type; +-gss_name_t *output_name; ++gss_canonicalize_name(OM_uint32 *minor_status, const gss_name_t input_name, ++ const gss_OID mech_type, gss_name_t *output_name) + { + gss_union_name_t in_union, out_union = NULL, dest_union = NULL; + OM_uint32 major_status = GSS_S_FAILURE, tmpmin; +diff --git a/src/lib/gssapi/mechglue/g_compare_name.c b/src/lib/gssapi/mechglue/g_compare_name.c +index af2e76bbda..74a9529a35 100644 +--- a/src/lib/gssapi/mechglue/g_compare_name.c ++++ b/src/lib/gssapi/mechglue/g_compare_name.c +@@ -59,16 +59,8 @@ val_comp_name_args( + + + OM_uint32 KRB5_CALLCONV +-gss_compare_name (minor_status, +- name1, +- name2, +- name_equal) +- +-OM_uint32 * minor_status; +-gss_name_t name1; +-gss_name_t name2; +-int * name_equal; +- ++gss_compare_name(OM_uint32 * minor_status, gss_name_t name1, gss_name_t name2, ++ int * name_equal) + { + OM_uint32 major_status, temp_minor; + gss_union_name_t union_name1, union_name2; +diff --git a/src/lib/gssapi/mechglue/g_context_time.c b/src/lib/gssapi/mechglue/g_context_time.c +index c947e7646c..b11b32d6bb 100644 +--- a/src/lib/gssapi/mechglue/g_context_time.c ++++ b/src/lib/gssapi/mechglue/g_context_time.c +@@ -29,14 +29,8 @@ + #include "mglueP.h" + + OM_uint32 KRB5_CALLCONV +-gss_context_time (minor_status, +- context_handle, +- time_rec) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-OM_uint32 * time_rec; +- ++gss_context_time(OM_uint32 * minor_status, gss_ctx_id_t context_handle, ++ OM_uint32 * time_rec) + { + OM_uint32 status; + gss_union_ctx_id_t ctx; +diff --git a/src/lib/gssapi/mechglue/g_delete_sec_context.c b/src/lib/gssapi/mechglue/g_delete_sec_context.c +index 574ff02944..dc86cce3d3 100644 +--- a/src/lib/gssapi/mechglue/g_delete_sec_context.c ++++ b/src/lib/gssapi/mechglue/g_delete_sec_context.c +@@ -62,14 +62,8 @@ val_del_sec_ctx_args( + + + OM_uint32 KRB5_CALLCONV +-gss_delete_sec_context (minor_status, +- context_handle, +- output_token) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t * context_handle; +-gss_buffer_t output_token; +- ++gss_delete_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, ++ gss_buffer_t output_token) + { + OM_uint32 status; + gss_union_ctx_id_t ctx; +diff --git a/src/lib/gssapi/mechglue/g_dsp_name.c b/src/lib/gssapi/mechglue/g_dsp_name.c +index 21867c814e..fae64f712e 100644 +--- a/src/lib/gssapi/mechglue/g_dsp_name.c ++++ b/src/lib/gssapi/mechglue/g_dsp_name.c +@@ -70,16 +70,8 @@ val_dsp_name_args( + + + OM_uint32 KRB5_CALLCONV +-gss_display_name (minor_status, +- input_name, +- output_name_buffer, +- output_name_type) +- +-OM_uint32 * minor_status; +-gss_name_t input_name; +-gss_buffer_t output_name_buffer; +-gss_OID * output_name_type; +- ++gss_display_name(OM_uint32 *minor_status, gss_name_t input_name, ++ gss_buffer_t output_name_buffer, gss_OID *output_name_type) + { + OM_uint32 major_status; + gss_union_name_t union_name; +diff --git a/src/lib/gssapi/mechglue/g_dsp_status.c b/src/lib/gssapi/mechglue/g_dsp_status.c +index 70e8492636..14a7a8200c 100644 +--- a/src/lib/gssapi/mechglue/g_dsp_status.c ++++ b/src/lib/gssapi/mechglue/g_dsp_status.c +@@ -36,20 +36,9 @@ + static OM_uint32 displayMajor(OM_uint32, OM_uint32 *, gss_buffer_t); + + OM_uint32 KRB5_CALLCONV +-gss_display_status (minor_status, +- status_value, +- status_type, +- req_mech_type, +- message_context, +- status_string) +- +-OM_uint32 * minor_status; +-OM_uint32 status_value; +-int status_type; +-gss_OID req_mech_type; +-OM_uint32 * message_context; +-gss_buffer_t status_string; +- ++gss_display_status(OM_uint32 *minor_status, OM_uint32 status_value, ++ int status_type, gss_OID req_mech_type, ++ OM_uint32 *message_context, gss_buffer_t status_string) + { + gss_OID mech_type = (gss_OID) req_mech_type; + gss_mechanism mech; +@@ -147,10 +136,7 @@ gss_buffer_t status_string; + * >= 2 - the supplementary error code bit shifted by 1 + */ + static OM_uint32 +-displayMajor(status, msgCtxt, outStr) +-OM_uint32 status; +-OM_uint32 *msgCtxt; +-gss_buffer_t outStr; ++displayMajor(OM_uint32 status, OM_uint32 *msgCtxt, gss_buffer_t outStr) + { + OM_uint32 oneVal, mask = 0x1, currErr; + char *errStr = NULL; +diff --git a/src/lib/gssapi/mechglue/g_dup_name.c b/src/lib/gssapi/mechglue/g_dup_name.c +index ff01db27dc..bf6eb602ea 100644 +--- a/src/lib/gssapi/mechglue/g_dup_name.c ++++ b/src/lib/gssapi/mechglue/g_dup_name.c +@@ -51,12 +51,8 @@ val_dup_name_args( + + + OM_uint32 KRB5_CALLCONV +-gss_duplicate_name(minor_status, +- src_name, +- dest_name) +-OM_uint32 *minor_status; +-const gss_name_t src_name; +-gss_name_t *dest_name; ++gss_duplicate_name(OM_uint32 *minor_status, const gss_name_t src_name, ++ gss_name_t *dest_name) + { + gss_union_name_t src_union, dest_union; + OM_uint32 major_status = GSS_S_FAILURE; +diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c +index a04afe3d1e..68a3267cf0 100644 +--- a/src/lib/gssapi/mechglue/g_exp_sec_context.c ++++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c +@@ -68,14 +68,8 @@ val_exp_sec_ctx_args( + + + OM_uint32 KRB5_CALLCONV +-gss_export_sec_context(minor_status, +- context_handle, +- interprocess_token) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t * context_handle; +-gss_buffer_t interprocess_token; +- ++gss_export_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, ++ gss_buffer_t interprocess_token) + { + OM_uint32 status; + OM_uint32 length; +diff --git a/src/lib/gssapi/mechglue/g_export_name.c b/src/lib/gssapi/mechglue/g_export_name.c +index c845f8caf7..2e0611d2d5 100644 +--- a/src/lib/gssapi/mechglue/g_export_name.c ++++ b/src/lib/gssapi/mechglue/g_export_name.c +@@ -20,12 +20,8 @@ + #include + + OM_uint32 KRB5_CALLCONV +-gss_export_name(minor_status, +- input_name, +- exported_name) +-OM_uint32 * minor_status; +-const gss_name_t input_name; +-gss_buffer_t exported_name; ++gss_export_name(OM_uint32 *minor_status, const gss_name_t input_name, ++ gss_buffer_t exported_name) + { + gss_union_name_t union_name; + +diff --git a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c +index 176fbe63eb..47f499307a 100644 +--- a/src/lib/gssapi/mechglue/g_glue.c ++++ b/src/lib/gssapi/mechglue/g_glue.c +@@ -75,9 +75,8 @@ static gss_OID_desc gss_krb5_mechanism_oid_desc = + + #define NTLMSSP_SIGNATURE "NTLMSSP" + +-OM_uint32 gssint_get_mech_type(OID, token) +- gss_OID OID; +- gss_buffer_t token; ++OM_uint32 ++gssint_get_mech_type(gss_OID OID, gss_buffer_t token) + { + /* Check for interoperability exceptions */ + if (token->length >= sizeof(NTLMSSP_SIGNATURE) && +@@ -163,12 +162,10 @@ import_internal_attributes(OM_uint32 *minor, + * Internal routines to get and release an internal mechanism name + */ + +-OM_uint32 gssint_import_internal_name (minor_status, mech_type, union_name, +- internal_name) +-OM_uint32 *minor_status; +-gss_OID mech_type; +-gss_union_name_t union_name; +-gss_name_t *internal_name; ++OM_uint32 ++gssint_import_internal_name(OM_uint32 *minor_status, gss_OID mech_type, ++ gss_union_name_t union_name, ++ gss_name_t *internal_name) + { + OM_uint32 status, tmpMinor; + gss_mechanism mech; +@@ -220,12 +217,10 @@ gss_name_t *internal_name; + return (status); + } + +-OM_uint32 gssint_export_internal_name(minor_status, mech_type, +- internal_name, name_buf) +- OM_uint32 *minor_status; +- const gss_OID mech_type; +- const gss_name_t internal_name; +- gss_buffer_t name_buf; ++OM_uint32 ++gssint_export_internal_name(OM_uint32 *minor_status, const gss_OID mech_type, ++ const gss_name_t internal_name, ++ gss_buffer_t name_buf) + { + OM_uint32 status; + gss_mechanism mech; +@@ -307,13 +302,10 @@ OM_uint32 gssint_export_internal_name(minor_status, mech_type, + return (GSS_S_COMPLETE); + } /* gssint_export_internal_name */ + +-OM_uint32 gssint_display_internal_name (minor_status, mech_type, internal_name, +- external_name, name_type) +-OM_uint32 *minor_status; +-gss_OID mech_type; +-gss_name_t internal_name; +-gss_buffer_t external_name; +-gss_OID *name_type; ++OM_uint32 ++gssint_display_internal_name(OM_uint32 *minor_status, gss_OID mech_type, ++ gss_name_t internal_name, ++ gss_buffer_t external_name, gss_OID *name_type) + { + OM_uint32 status; + gss_mechanism mech; +@@ -337,10 +329,9 @@ gss_OID *name_type; + return (GSS_S_BAD_MECH); + } + +-OM_uint32 gssint_release_internal_name (minor_status, mech_type, internal_name) +-OM_uint32 *minor_status; +-gss_OID mech_type; +-gss_name_t *internal_name; ++OM_uint32 ++gssint_release_internal_name(OM_uint32 *minor_status, gss_OID mech_type, ++ gss_name_t *internal_name) + { + OM_uint32 status; + gss_mechanism mech; +@@ -362,14 +353,10 @@ gss_name_t *internal_name; + return (GSS_S_BAD_MECH); + } + +-OM_uint32 gssint_delete_internal_sec_context (minor_status, +- mech_type, +- internal_ctx, +- output_token) +-OM_uint32 *minor_status; +-gss_OID mech_type; +-gss_ctx_id_t *internal_ctx; +-gss_buffer_t output_token; ++OM_uint32 ++gssint_delete_internal_sec_context(OM_uint32 *minor_status, gss_OID mech_type, ++ gss_ctx_id_t *internal_ctx, ++ gss_buffer_t output_token) + { + OM_uint32 status; + gss_mechanism mech; +@@ -394,12 +381,10 @@ gss_buffer_t output_token; + * name. Note that internal_name should be considered "consumed" by + * this call, whether or not we return an error. + */ +-OM_uint32 gssint_convert_name_to_union_name(minor_status, mech, +- internal_name, external_name) +- OM_uint32 *minor_status; +- gss_mechanism mech; +- gss_name_t internal_name; +- gss_name_t *external_name; ++OM_uint32 ++gssint_convert_name_to_union_name(OM_uint32 *minor_status, gss_mechanism mech, ++ gss_name_t internal_name, ++ gss_name_t *external_name) + { + OM_uint32 major_status,tmp; + gss_union_name_t union_name; +@@ -473,9 +458,7 @@ allocation_failure: + * external union credential. + */ + gss_cred_id_t +-gssint_get_mechanism_cred(union_cred, mech_type) +- gss_union_cred_t union_cred; +- gss_OID mech_type; ++gssint_get_mechanism_cred(gss_union_cred_t union_cred, gss_OID mech_type) + { + int i; + +@@ -494,10 +477,8 @@ gssint_get_mechanism_cred(union_cred, mech_type) + * Both space for the structure and the data is allocated. + */ + OM_uint32 +-gssint_create_copy_buffer(srcBuf, destBuf, addNullChar) +- const gss_buffer_t srcBuf; +- gss_buffer_t *destBuf; +- int addNullChar; ++gssint_create_copy_buffer(const gss_buffer_t srcBuf, gss_buffer_t *destBuf, ++ int addNullChar) + { + gss_buffer_t aBuf; + unsigned int len; +diff --git a/src/lib/gssapi/mechglue/g_imp_name.c b/src/lib/gssapi/mechglue/g_imp_name.c +index a805078a81..65fa6c0fb3 100644 +--- a/src/lib/gssapi/mechglue/g_imp_name.c ++++ b/src/lib/gssapi/mechglue/g_imp_name.c +@@ -81,16 +81,8 @@ val_imp_name_args( + static gss_buffer_desc emptyNameBuffer; + + OM_uint32 KRB5_CALLCONV +-gss_import_name(minor_status, +- input_name_buffer, +- input_name_type, +- output_name) +- +-OM_uint32 * minor_status; +-gss_buffer_t input_name_buffer; +-gss_OID input_name_type; +-gss_name_t * output_name; +- ++gss_import_name(OM_uint32 * minor_status, gss_buffer_t input_name_buffer, ++ gss_OID input_name_type, gss_name_t * output_name) + { + gss_union_name_t union_name; + OM_uint32 tmp, major_status = GSS_S_FAILURE; +@@ -183,10 +175,8 @@ allocation_failure: + } + + static OM_uint32 +-importExportName(minor, unionName, inputNameType) +- OM_uint32 *minor; +- gss_union_name_t unionName; +- gss_OID inputNameType; ++importExportName(OM_uint32 *minor, gss_union_name_t unionName, ++ gss_OID inputNameType) + { + gss_OID_desc mechOid; + gss_buffer_desc expName; +diff --git a/src/lib/gssapi/mechglue/g_imp_sec_context.c b/src/lib/gssapi/mechglue/g_imp_sec_context.c +index 6315201a5f..55a3136df1 100644 +--- a/src/lib/gssapi/mechglue/g_imp_sec_context.c ++++ b/src/lib/gssapi/mechglue/g_imp_sec_context.c +@@ -69,14 +69,9 @@ val_imp_sec_ctx_args( + + + OM_uint32 KRB5_CALLCONV +-gss_import_sec_context(minor_status, +- interprocess_token, +- context_handle) +- +-OM_uint32 * minor_status; +-gss_buffer_t interprocess_token; +-gss_ctx_id_t * context_handle; +- ++gss_import_sec_context(OM_uint32 *minor_status, ++ gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle) + { + OM_uint32 length = 0; + OM_uint32 status; +diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c +index a58074c007..d639a8de3b 100644 +--- a/src/lib/gssapi/mechglue/g_init_sec_context.c ++++ b/src/lib/gssapi/mechglue/g_init_sec_context.c +@@ -88,34 +88,15 @@ val_init_sec_ctx_args( + + + OM_uint32 KRB5_CALLCONV +-gss_init_sec_context (minor_status, +- claimant_cred_handle, +- context_handle, +- target_name, +- req_mech_type, +- req_flags, +- time_req, +- input_chan_bindings, +- input_token, +- actual_mech_type, +- output_token, +- ret_flags, +- time_rec) +- +-OM_uint32 * minor_status; +-gss_cred_id_t claimant_cred_handle; +-gss_ctx_id_t * context_handle; +-gss_name_t target_name; +-gss_OID req_mech_type; +-OM_uint32 req_flags; +-OM_uint32 time_req; +-gss_channel_bindings_t input_chan_bindings; +-gss_buffer_t input_token; +-gss_OID * actual_mech_type; +-gss_buffer_t output_token; +-OM_uint32 * ret_flags; +-OM_uint32 * time_rec; +- ++gss_init_sec_context(OM_uint32 *minor_status, ++ gss_cred_id_t claimant_cred_handle, ++ gss_ctx_id_t *context_handle, gss_name_t target_name, ++ gss_OID req_mech_type, OM_uint32 req_flags, ++ OM_uint32 time_req, ++ gss_channel_bindings_t input_chan_bindings, ++ gss_buffer_t input_token, gss_OID *actual_mech_type, ++ gss_buffer_t output_token, OM_uint32 *ret_flags, ++ OM_uint32 *time_rec) + { + OM_uint32 status, temp_minor_status; + gss_union_name_t union_name; +diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c +index 22f6c615c1..7e36c4a0d0 100644 +--- a/src/lib/gssapi/mechglue/g_initialize.c ++++ b/src/lib/gssapi/mechglue/g_initialize.c +@@ -169,9 +169,7 @@ gssint_mechglue_initialize_library(void) + * This routine requires direct access to the mechList. + */ + OM_uint32 KRB5_CALLCONV +-gss_release_oid(minor_status, oid) +-OM_uint32 *minor_status; +-gss_OID *oid; ++gss_release_oid(OM_uint32 *minor_status, gss_OID *oid) + { + OM_uint32 major; + gss_mech_info aMech; +@@ -267,9 +265,7 @@ prune_deprecated(gss_OID_set mech_set) + * a mech oid set, and only update it once the file has changed. + */ + OM_uint32 KRB5_CALLCONV +-gss_indicate_mechs(minorStatus, mechSet_out) +-OM_uint32 *minorStatus; +-gss_OID_set *mechSet_out; ++gss_indicate_mechs(OM_uint32 *minorStatus, gss_OID_set *mechSet_out) + { + OM_uint32 status; + +@@ -417,8 +413,7 @@ build_mechSet(void) + * caller is responsible for freeing the memory + */ + char * +-gssint_get_modOptions(oid) +-const gss_OID oid; ++gssint_get_modOptions(const gss_OID oid) + { + gss_mech_info aMech; + char *modOptions = NULL; +@@ -479,7 +474,7 @@ load_if_changed(const char *pathname, time_t last, time_t *highest) + /* Try to load any config files which have changed since the last call. Config + * files are MECH_CONF and any files matching MECH_CONF_PATTERN. */ + static void +-loadConfigFiles() ++loadConfigFiles(void) + { + glob_t globbuf; + time_t highest = (time_t)-1, now; +@@ -679,7 +674,8 @@ gssint_register_mechinfo(gss_mech_info template) + memset(&errinfo, 0, sizeof(errinfo)); \ + if (krb5int_get_plugin_func(_dl, \ + #_symbol, \ +- (void (**)())&(_mech)->_symbol, \ ++ (void (**)(void)) \ ++ &(_mech)->_symbol, \ + &errinfo) || errinfo.code) { \ + (_mech)->_symbol = NULL; \ + k5_clear_error(&errinfo); \ +@@ -801,7 +797,7 @@ build_dynamicMech(void *dl, const gss_OID mech_type) + memset(&errinfo, 0, sizeof(errinfo)); \ + if (krb5int_get_plugin_func(_dl, \ + "gssi" #_nsym, \ +- (void (**)())&(_mech)->_psym \ ++ (void (**)(void))&(_mech)->_psym \ + ## _nsym, \ + &errinfo) || errinfo.code) { \ + (_mech)->_psym ## _nsym = NULL; \ +@@ -948,7 +944,7 @@ loadInterMech(gss_mech_info minfo) + } + + if (krb5int_get_plugin_func(dl, MECH_INTERPOSER_SYM, +- (void (**)())&isym, &errinfo) != 0) ++ (void (**)(void))&isym, &errinfo) != 0) + goto cleanup; + + /* Get a list of mechs to interpose. */ +@@ -1184,7 +1180,7 @@ gssint_get_mechanism(gss_const_OID oid) + return ((gss_mechanism)NULL); + } + +- if (krb5int_get_plugin_func(dl, MECH_SYM, (void (**)())&sym, ++ if (krb5int_get_plugin_func(dl, MECH_SYM, (void (**)(void))&sym, + &errinfo) == 0) { + /* Call the symbol to get the mechanism table */ + aMech->mech = (*sym)(aMech->mech_type); +diff --git a/src/lib/gssapi/mechglue/g_inq_cred.c b/src/lib/gssapi/mechglue/g_inq_cred.c +index 4ed7774f1a..0aa9acc889 100644 +--- a/src/lib/gssapi/mechglue/g_inq_cred.c ++++ b/src/lib/gssapi/mechglue/g_inq_cred.c +@@ -35,20 +35,9 @@ + #include + + OM_uint32 KRB5_CALLCONV +-gss_inquire_cred(minor_status, +- cred_handle, +- name, +- lifetime, +- cred_usage, +- mechanisms) +- +-OM_uint32 * minor_status; +-gss_cred_id_t cred_handle; +-gss_name_t * name; +-OM_uint32 * lifetime; +-int * cred_usage; +-gss_OID_set * mechanisms; +- ++gss_inquire_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle, ++ gss_name_t *name, OM_uint32 *lifetime, int *cred_usage, ++ gss_OID_set *mechanisms) + { + OM_uint32 status, temp_minor_status; + gss_union_cred_t union_cred; +@@ -159,15 +148,11 @@ error: + } + + OM_uint32 KRB5_CALLCONV +-gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, +- initiator_lifetime, acceptor_lifetime, cred_usage) +- OM_uint32 *minor_status; +- gss_cred_id_t cred_handle; +- gss_OID mech_type; +- gss_name_t *name; +- OM_uint32 *initiator_lifetime; +- OM_uint32 *acceptor_lifetime; +- gss_cred_usage_t *cred_usage; ++gss_inquire_cred_by_mech(OM_uint32 *minor_status, gss_cred_id_t cred_handle, ++ gss_OID mech_type, gss_name_t *name, ++ OM_uint32 *initiator_lifetime, ++ OM_uint32 *acceptor_lifetime, ++ gss_cred_usage_t *cred_usage) + { + gss_union_cred_t union_cred; + gss_cred_id_t mech_cred; +diff --git a/src/lib/gssapi/mechglue/g_inq_names.c b/src/lib/gssapi/mechglue/g_inq_names.c +index d22af8bcf9..066c00c042 100644 +--- a/src/lib/gssapi/mechglue/g_inq_names.c ++++ b/src/lib/gssapi/mechglue/g_inq_names.c +@@ -32,12 +32,8 @@ + + /* Last argument new for V2 */ + OM_uint32 KRB5_CALLCONV +-gss_inquire_names_for_mech(minor_status, mechanism, name_types) +- +-OM_uint32 * minor_status; +-gss_OID mechanism; +-gss_OID_set * name_types; +- ++gss_inquire_names_for_mech(OM_uint32 *minor_status, gss_OID mechanism, ++ gss_OID_set *name_types) + { + OM_uint32 status; + gss_OID selected_mech = GSS_C_NO_OID, public_mech; +diff --git a/src/lib/gssapi/mechglue/g_mechname.c b/src/lib/gssapi/mechglue/g_mechname.c +index cfb0a0d2af..5664fa157e 100644 +--- a/src/lib/gssapi/mechglue/g_mechname.c ++++ b/src/lib/gssapi/mechglue/g_mechname.c +@@ -20,8 +20,8 @@ static gss_mech_spec_name name_list = NULL; + /* + * generic searching helper function. + */ +-static gss_mech_spec_name search_mech_spec(name_type) +- gss_OID name_type; ++static gss_mech_spec_name ++search_mech_spec(gss_OID name_type) + { + gss_mech_spec_name p; + +@@ -36,8 +36,8 @@ static gss_mech_spec_name search_mech_spec(name_type) + * Given a name_type, if it is specific to a mechanism, return the + * mechanism OID. Otherwise, return NULL. + */ +-gss_OID gss_find_mechanism_from_name_type(name_type) +- gss_OID name_type; ++gss_OID ++gss_find_mechanism_from_name_type(gss_OID name_type) + { + gss_mech_spec_name p; + +@@ -54,10 +54,8 @@ gss_OID gss_find_mechanism_from_name_type(name_type) + * Otherwise, enter the pair into the registry. + */ + OM_uint32 +-gss_add_mech_name_type(minor_status, name_type, mech) +- OM_uint32 *minor_status; +- gss_OID name_type; +- gss_OID mech; ++gss_add_mech_name_type(OM_uint32 *minor_status, gss_OID name_type, ++ gss_OID mech) + { + OM_uint32 major_status, tmp; + gss_mech_spec_name p; +diff --git a/src/lib/gssapi/mechglue/g_oid_ops.c b/src/lib/gssapi/mechglue/g_oid_ops.c +index 1d7970c5dd..f29fb3b33e 100644 +--- a/src/lib/gssapi/mechglue/g_oid_ops.c ++++ b/src/lib/gssapi/mechglue/g_oid_ops.c +@@ -33,9 +33,7 @@ + */ + + OM_uint32 KRB5_CALLCONV +-gss_create_empty_oid_set(minor_status, oid_set) +- OM_uint32 *minor_status; +- gss_OID_set *oid_set; ++gss_create_empty_oid_set(OM_uint32 *minor_status, gss_OID_set *oid_set) + { + OM_uint32 status; + status = generic_gss_create_empty_oid_set(minor_status, oid_set); +@@ -45,10 +43,8 @@ gss_create_empty_oid_set(minor_status, oid_set) + } + + OM_uint32 KRB5_CALLCONV +-gss_add_oid_set_member(minor_status, member_oid, oid_set) +- OM_uint32 *minor_status; +- gss_OID member_oid; +- gss_OID_set *oid_set; ++gss_add_oid_set_member(OM_uint32 *minor_status, gss_OID member_oid, ++ gss_OID_set *oid_set) + { + OM_uint32 status; + status = generic_gss_add_oid_set_member(minor_status, member_oid, oid_set); +@@ -58,20 +54,14 @@ gss_add_oid_set_member(minor_status, member_oid, oid_set) + } + + OM_uint32 KRB5_CALLCONV +-gss_test_oid_set_member(minor_status, member, set, present) +- OM_uint32 *minor_status; +- gss_OID member; +- gss_OID_set set; +- int *present; ++gss_test_oid_set_member(OM_uint32 *minor_status, gss_OID member, ++ gss_OID_set set, int *present) + { + return generic_gss_test_oid_set_member(minor_status, member, set, present); + } + + OM_uint32 KRB5_CALLCONV +-gss_oid_to_str(minor_status, oid, oid_str) +- OM_uint32 *minor_status; +- gss_OID oid; +- gss_buffer_t oid_str; ++gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str) + { + OM_uint32 status = generic_gss_oid_to_str(minor_status, oid, oid_str); + if (status != GSS_S_COMPLETE) +@@ -80,10 +70,7 @@ gss_oid_to_str(minor_status, oid, oid_str) + } + + OM_uint32 KRB5_CALLCONV +-gss_str_to_oid(minor_status, oid_str, oid) +- OM_uint32 *minor_status; +- gss_buffer_t oid_str; +- gss_OID *oid; ++gss_str_to_oid(OM_uint32 *minor_status, gss_buffer_t oid_str, gss_OID *oid) + { + OM_uint32 status = generic_gss_str_to_oid(minor_status, oid_str, oid); + if (status != GSS_S_COMPLETE) +diff --git a/src/lib/gssapi/mechglue/g_process_context.c b/src/lib/gssapi/mechglue/g_process_context.c +index 3968b5d9c6..2b3f6c704d 100644 +--- a/src/lib/gssapi/mechglue/g_process_context.c ++++ b/src/lib/gssapi/mechglue/g_process_context.c +@@ -29,14 +29,8 @@ + #include "mglueP.h" + + OM_uint32 KRB5_CALLCONV +-gss_process_context_token (minor_status, +- context_handle, +- token_buffer) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-gss_buffer_t token_buffer; +- ++gss_process_context_token(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t token_buffer) + { + OM_uint32 status; + gss_union_ctx_id_t ctx; +diff --git a/src/lib/gssapi/mechglue/g_rel_buffer.c b/src/lib/gssapi/mechglue/g_rel_buffer.c +index 8c3328acc5..60117bdb56 100644 +--- a/src/lib/gssapi/mechglue/g_rel_buffer.c ++++ b/src/lib/gssapi/mechglue/g_rel_buffer.c +@@ -33,11 +33,7 @@ + #endif + + OM_uint32 KRB5_CALLCONV +-gss_release_buffer (minor_status, +- buffer) +- +-OM_uint32 * minor_status; +-gss_buffer_t buffer; ++gss_release_buffer(OM_uint32 *minor_status, gss_buffer_t buffer) + { + if (minor_status) + *minor_status = 0; +diff --git a/src/lib/gssapi/mechglue/g_rel_cred.c b/src/lib/gssapi/mechglue/g_rel_cred.c +index ccdee05a56..ee3d1d71e3 100644 +--- a/src/lib/gssapi/mechglue/g_rel_cred.c ++++ b/src/lib/gssapi/mechglue/g_rel_cred.c +@@ -31,12 +31,7 @@ + #endif + + OM_uint32 KRB5_CALLCONV +-gss_release_cred(minor_status, +- cred_handle) +- +-OM_uint32 * minor_status; +-gss_cred_id_t * cred_handle; +- ++gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) + { + OM_uint32 status, temp_status; + int j; +diff --git a/src/lib/gssapi/mechglue/g_rel_name.c b/src/lib/gssapi/mechglue/g_rel_name.c +index e008692383..d490f9f290 100644 +--- a/src/lib/gssapi/mechglue/g_rel_name.c ++++ b/src/lib/gssapi/mechglue/g_rel_name.c +@@ -34,12 +34,7 @@ + #include + + OM_uint32 KRB5_CALLCONV +-gss_release_name (minor_status, +- input_name) +- +-OM_uint32 * minor_status; +-gss_name_t * input_name; +- ++gss_release_name(OM_uint32 *minor_status, gss_name_t *input_name) + { + gss_union_name_t union_name; + +diff --git a/src/lib/gssapi/mechglue/g_rel_oid_set.c b/src/lib/gssapi/mechglue/g_rel_oid_set.c +index fa008d6bb9..9151dd2e71 100644 +--- a/src/lib/gssapi/mechglue/g_rel_oid_set.c ++++ b/src/lib/gssapi/mechglue/g_rel_oid_set.c +@@ -33,11 +33,7 @@ + #endif + + OM_uint32 KRB5_CALLCONV +-gss_release_oid_set (minor_status, +- set) +- +-OM_uint32 * minor_status; +-gss_OID_set * set; ++gss_release_oid_set(OM_uint32 *minor_status, gss_OID_set *set) + { + return generic_gss_release_oid_set(minor_status, set); + } +diff --git a/src/lib/gssapi/mechglue/g_sign.c b/src/lib/gssapi/mechglue/g_sign.c +index 03fbd8c01f..c9af1da570 100644 +--- a/src/lib/gssapi/mechglue/g_sign.c ++++ b/src/lib/gssapi/mechglue/g_sign.c +@@ -66,18 +66,9 @@ val_get_mic_args( + + + OM_uint32 KRB5_CALLCONV +-gss_get_mic (minor_status, +- context_handle, +- qop_req, +- message_buffer, +- msg_token) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-gss_qop_t qop_req; +-gss_buffer_t message_buffer; +-gss_buffer_t msg_token; +- ++gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_buffer_t message_buffer, ++ gss_buffer_t msg_token) + { + OM_uint32 status; + gss_union_ctx_id_t ctx; +@@ -118,18 +109,8 @@ gss_buffer_t msg_token; + } + + OM_uint32 KRB5_CALLCONV +-gss_sign (minor_status, +- context_handle, +- qop_req, +- message_buffer, +- msg_token) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-int qop_req; +-gss_buffer_t message_buffer; +-gss_buffer_t msg_token; +- ++gss_sign(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int qop_req, ++ gss_buffer_t message_buffer, gss_buffer_t msg_token) + { + return (gss_get_mic(minor_status, context_handle, (gss_qop_t) qop_req, + message_buffer, msg_token)); +diff --git a/src/lib/gssapi/mechglue/g_store_cred.c b/src/lib/gssapi/mechglue/g_store_cred.c +index c2b6ddf3c0..231b3e81a0 100644 +--- a/src/lib/gssapi/mechglue/g_store_cred.c ++++ b/src/lib/gssapi/mechglue/g_store_cred.c +@@ -93,24 +93,10 @@ val_store_cred_args( + + + OM_uint32 KRB5_CALLCONV +-gss_store_cred(minor_status, +- input_cred_handle, +- cred_usage, +- desired_mech, +- overwrite_cred, +- default_cred, +- elements_stored, +- cred_usage_stored) +- +-OM_uint32 *minor_status; +-gss_cred_id_t input_cred_handle; +-gss_cred_usage_t cred_usage; +-const gss_OID desired_mech; +-OM_uint32 overwrite_cred; +-OM_uint32 default_cred; +-gss_OID_set *elements_stored; +-gss_cred_usage_t *cred_usage_stored; +- ++gss_store_cred(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, ++ gss_cred_usage_t cred_usage, const gss_OID desired_mech, ++ OM_uint32 overwrite_cred, OM_uint32 default_cred, ++ gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored) + { + return gss_store_cred_into(minor_status, input_cred_handle, cred_usage, + desired_mech, overwrite_cred, default_cred, +@@ -119,26 +105,12 @@ gss_cred_usage_t *cred_usage_stored; + } + + OM_uint32 KRB5_CALLCONV +-gss_store_cred_into(minor_status, +- input_cred_handle, +- cred_usage, +- desired_mech, +- overwrite_cred, +- default_cred, +- cred_store, +- elements_stored, +- cred_usage_stored) +- +-OM_uint32 *minor_status; +-gss_cred_id_t input_cred_handle; +-gss_cred_usage_t cred_usage; +-gss_OID desired_mech; +-OM_uint32 overwrite_cred; +-OM_uint32 default_cred; +-gss_const_key_value_set_t cred_store; +-gss_OID_set *elements_stored; +-gss_cred_usage_t *cred_usage_stored; +- ++gss_store_cred_into(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, ++ gss_cred_usage_t cred_usage, gss_OID desired_mech, ++ OM_uint32 overwrite_cred, OM_uint32 default_cred, ++ gss_const_key_value_set_t cred_store, ++ gss_OID_set *elements_stored, ++ gss_cred_usage_t *cred_usage_stored) + { + OM_uint32 major_status = GSS_S_FAILURE; + gss_union_cred_t union_cred; +diff --git a/src/lib/gssapi/mechglue/g_unseal.c b/src/lib/gssapi/mechglue/g_unseal.c +index c208635b67..2be3745d1f 100644 +--- a/src/lib/gssapi/mechglue/g_unseal.c ++++ b/src/lib/gssapi/mechglue/g_unseal.c +@@ -29,20 +29,10 @@ + #include "mglueP.h" + + OM_uint32 KRB5_CALLCONV +-gss_unwrap (minor_status, +- context_handle, +- input_message_buffer, +- output_message_buffer, +- conf_state, +- qop_state) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-gss_buffer_t input_message_buffer; +-gss_buffer_t output_message_buffer; +-int * conf_state; +-gss_qop_t * qop_state; +- ++gss_unwrap(OM_uint32 * minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_message_buffer, ++ gss_buffer_t output_message_buffer, ++ int *conf_state, gss_qop_t *qop_state) + { + /* EXPORT DELETE START */ + OM_uint32 status; +@@ -111,20 +101,9 @@ gss_qop_t * qop_state; + } + + OM_uint32 KRB5_CALLCONV +-gss_unseal (minor_status, +- context_handle, +- input_message_buffer, +- output_message_buffer, +- conf_state, +- qop_state) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-gss_buffer_t input_message_buffer; +-gss_buffer_t output_message_buffer; +-int * conf_state; +-int * qop_state; +- ++gss_unseal(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_message_buffer, ++ gss_buffer_t output_message_buffer, int *conf_state, int *qop_state) + { + return (gss_unwrap(minor_status, context_handle, + input_message_buffer, +diff --git a/src/lib/gssapi/mechglue/g_unwrap_aead.c b/src/lib/gssapi/mechglue/g_unwrap_aead.c +index 0682bd8998..5c9ff30031 100644 +--- a/src/lib/gssapi/mechglue/g_unwrap_aead.c ++++ b/src/lib/gssapi/mechglue/g_unwrap_aead.c +@@ -154,20 +154,11 @@ gssint_unwrap_aead (gss_mechanism mech, + } + + OM_uint32 KRB5_CALLCONV +-gss_unwrap_aead (minor_status, +- context_handle, +- input_message_buffer, +- input_assoc_buffer, +- output_payload_buffer, +- conf_state, +- qop_state) +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-gss_buffer_t input_message_buffer; +-gss_buffer_t input_assoc_buffer; +-gss_buffer_t output_payload_buffer; +-int *conf_state; +-gss_qop_t *qop_state; ++gss_unwrap_aead(OM_uint32 * minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_message_buffer, ++ gss_buffer_t input_assoc_buffer, ++ gss_buffer_t output_payload_buffer, ++ int *conf_state, gss_qop_t *qop_state) + { + + OM_uint32 status; +diff --git a/src/lib/gssapi/mechglue/g_unwrap_iov.c b/src/lib/gssapi/mechglue/g_unwrap_iov.c +index 599be2c7b2..bf9c3bcc33 100644 +--- a/src/lib/gssapi/mechglue/g_unwrap_iov.c ++++ b/src/lib/gssapi/mechglue/g_unwrap_iov.c +@@ -59,18 +59,9 @@ val_unwrap_iov_args( + + + OM_uint32 KRB5_CALLCONV +-gss_unwrap_iov (minor_status, +- context_handle, +- conf_state, +- qop_state, +- iov, +- iov_count) +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-int * conf_state; +-gss_qop_t *qop_state; +-gss_iov_buffer_desc * iov; +-int iov_count; ++gss_unwrap_iov(OM_uint32 * minor_status, gss_ctx_id_t context_handle, ++ int *conf_state, gss_qop_t *qop_state, ++ gss_iov_buffer_desc *iov, int iov_count) + { + /* EXPORT DELETE START */ + +diff --git a/src/lib/gssapi/mechglue/g_verify.c b/src/lib/gssapi/mechglue/g_verify.c +index 8996fce8d5..86ade66877 100644 +--- a/src/lib/gssapi/mechglue/g_verify.c ++++ b/src/lib/gssapi/mechglue/g_verify.c +@@ -29,18 +29,9 @@ + #include "mglueP.h" + + OM_uint32 KRB5_CALLCONV +-gss_verify_mic (minor_status, +- context_handle, +- message_buffer, +- token_buffer, +- qop_state) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-gss_buffer_t message_buffer; +-gss_buffer_t token_buffer; +-gss_qop_t * qop_state; +- ++gss_verify_mic(OM_uint32 * minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t message_buffer, gss_buffer_t token_buffer, ++ gss_qop_t *qop_state) + { + OM_uint32 status; + gss_union_ctx_id_t ctx; +@@ -89,18 +80,9 @@ gss_qop_t * qop_state; + } + + OM_uint32 KRB5_CALLCONV +-gss_verify (minor_status, +- context_handle, +- message_buffer, +- token_buffer, +- qop_state) +- +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-gss_buffer_t message_buffer; +-gss_buffer_t token_buffer; +-int * qop_state; +- ++gss_verify(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t message_buffer, gss_buffer_t token_buffer, ++ int *qop_state) + { + return (gss_verify_mic(minor_status, context_handle, + message_buffer, token_buffer, +diff --git a/src/lib/gssapi/mechglue/g_wrap_aead.c b/src/lib/gssapi/mechglue/g_wrap_aead.c +index 7fe3b7b35b..5a6570f7f9 100644 +--- a/src/lib/gssapi/mechglue/g_wrap_aead.c ++++ b/src/lib/gssapi/mechglue/g_wrap_aead.c +@@ -177,15 +177,11 @@ gssint_wrap_aead_iov_shim(gss_mechanism mech, + } + + OM_uint32 +-gssint_wrap_aead (gss_mechanism mech, +- OM_uint32 *minor_status, +- gss_union_ctx_id_t ctx, +- int conf_req_flag, +- gss_qop_t qop_req, +- gss_buffer_t input_assoc_buffer, +- gss_buffer_t input_payload_buffer, +- int *conf_state, +- gss_buffer_t output_message_buffer) ++gssint_wrap_aead(gss_mechanism mech, OM_uint32 *minor_status, ++ gss_union_ctx_id_t ctx, int conf_req_flag, gss_qop_t qop_req, ++ gss_buffer_t input_assoc_buffer, ++ gss_buffer_t input_payload_buffer, ++ int *conf_state, gss_buffer_t output_message_buffer) + { + /* EXPORT DELETE START */ + OM_uint32 status; +@@ -223,22 +219,15 @@ gssint_wrap_aead (gss_mechanism mech, + } + + OM_uint32 KRB5_CALLCONV +-gss_wrap_aead (minor_status, +- context_handle, +- conf_req_flag, +- qop_req, +- input_assoc_buffer, +- input_payload_buffer, +- conf_state, +- output_message_buffer) +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-int conf_req_flag; +-gss_qop_t qop_req; +-gss_buffer_t input_assoc_buffer; +-gss_buffer_t input_payload_buffer; +-int * conf_state; +-gss_buffer_t output_message_buffer; ++gss_wrap_aead ( ++ OM_uint32 * minor_status, ++ gss_ctx_id_t context_handle, ++ int conf_req_flag, ++ gss_qop_t qop_req, ++ gss_buffer_t input_assoc_buffer, ++ gss_buffer_t input_payload_buffer, ++ int * conf_state, ++ gss_buffer_t output_message_buffer) + { + OM_uint32 status; + gss_mechanism mech; +diff --git a/src/lib/gssapi/mechglue/g_wrap_iov.c b/src/lib/gssapi/mechglue/g_wrap_iov.c +index 14447c4ee1..aaf3a9308e 100644 +--- a/src/lib/gssapi/mechglue/g_wrap_iov.c ++++ b/src/lib/gssapi/mechglue/g_wrap_iov.c +@@ -60,20 +60,9 @@ val_wrap_iov_args( + + + OM_uint32 KRB5_CALLCONV +-gss_wrap_iov (minor_status, +- context_handle, +- conf_req_flag, +- qop_req, +- conf_state, +- iov, +- iov_count) +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-int conf_req_flag; +-gss_qop_t qop_req; +-int * conf_state; +-gss_iov_buffer_desc * iov; +-int iov_count; ++gss_wrap_iov(OM_uint32 * minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count) + { + /* EXPORT DELETE START */ + +@@ -120,20 +109,10 @@ int iov_count; + } + + OM_uint32 KRB5_CALLCONV +-gss_wrap_iov_length (minor_status, +- context_handle, +- conf_req_flag, +- qop_req, +- conf_state, +- iov, +- iov_count) +-OM_uint32 * minor_status; +-gss_ctx_id_t context_handle; +-int conf_req_flag; +-gss_qop_t qop_req; +-int * conf_state; +-gss_iov_buffer_desc * iov; +-int iov_count; ++gss_wrap_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, ++ int *conf_state, gss_iov_buffer_desc *iov, ++ int iov_count) + { + /* EXPORT DELETE START */ + +@@ -239,12 +218,8 @@ gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + } + + OM_uint32 KRB5_CALLCONV +-gss_release_iov_buffer (minor_status, +- iov, +- iov_count) +-OM_uint32 * minor_status; +-gss_iov_buffer_desc * iov; +-int iov_count; ++gss_release_iov_buffer(OM_uint32 * minor_status, gss_iov_buffer_desc *iov, ++ int iov_count) + { + OM_uint32 status = GSS_S_COMPLETE; + int i; +diff --git a/src/lib/kadm5/clnt/client_rpc.c b/src/lib/kadm5/clnt/client_rpc.c +index d84d158b46..c8d844e4c7 100644 +--- a/src/lib/kadm5/clnt/client_rpc.c ++++ b/src/lib/kadm5/clnt/client_rpc.c +@@ -1,6 +1,7 @@ + /* -*- mode: c; c-file-style: "bsd"; indent-tabs-mode: t -*- */ + #include + #include ++#include + #include + #include + #include /* for memset prototype */ +diff --git a/src/lib/kadm5/kadm_rpc.h b/src/lib/kadm5/kadm_rpc.h +index 5099c6c145..9efe49a373 100644 +--- a/src/lib/kadm5/kadm_rpc.h ++++ b/src/lib/kadm5/kadm_rpc.h +@@ -360,49 +360,4 @@ extern enum clnt_stat get_principal_keys_2(getpkeys_arg *, getpkeys_ret *, + CLIENT *); + extern bool_t get_principal_keys_2_svc(getpkeys_arg *, getpkeys_ret *, + struct svc_req *); +- +-extern bool_t xdr_cprinc_arg (); +-extern bool_t xdr_cprinc3_arg (); +-extern bool_t xdr_generic_ret (); +-extern bool_t xdr_dprinc_arg (); +-extern bool_t xdr_mprinc_arg (); +-extern bool_t xdr_rprinc_arg (); +-extern bool_t xdr_gprincs_arg (); +-extern bool_t xdr_gprincs_ret (); +-extern bool_t xdr_chpass_arg (); +-extern bool_t xdr_chpass3_arg (); +-extern bool_t xdr_setkey_arg (); +-extern bool_t xdr_setkey3_arg (); +-extern bool_t xdr_setkey4_arg (); +-extern bool_t xdr_chrand_arg (); +-extern bool_t xdr_chrand3_arg (); +-extern bool_t xdr_chrand_ret (); +-extern bool_t xdr_gprinc_arg (); +-extern bool_t xdr_gprinc_ret (); +-extern bool_t xdr_kadm5_ret_t (); +-extern bool_t xdr_kadm5_principal_ent_rec (); +-extern bool_t xdr_kadm5_policy_ent_rec (); +-extern bool_t xdr_krb5_keyblock (); +-extern bool_t xdr_krb5_principal (); +-extern bool_t xdr_krb5_enctype (); +-extern bool_t xdr_krb5_octet (); +-extern bool_t xdr_krb5_int32 (); +-extern bool_t xdr_u_int32 (); +-extern bool_t xdr_cpol_arg (); +-extern bool_t xdr_dpol_arg (); +-extern bool_t xdr_mpol_arg (); +-extern bool_t xdr_gpol_arg (); +-extern bool_t xdr_gpol_ret (); +-extern bool_t xdr_gpols_arg (); +-extern bool_t xdr_gpols_ret (); +-extern bool_t xdr_getprivs_ret (); +-extern bool_t xdr_purgekeys_arg (); +-extern bool_t xdr_gstrings_arg (); +-extern bool_t xdr_gstrings_ret (); +-extern bool_t xdr_sstring_arg (); +-extern bool_t xdr_krb5_string_attr (); +-extern bool_t xdr_kadm5_key_data (); +-extern bool_t xdr_getpkeys_arg (); +-extern bool_t xdr_getpkeys_ret (); +- + #endif /* __KADM_RPC_H__ */ +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 287cae750f..5e052dd90c 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -408,7 +408,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return (FALSE); + } + if (!xdr_nulltype(xdrs, (void **) &objp->mod_name, +- xdr_krb5_principal)) { ++ (xdrproc_t)xdr_krb5_principal)) { + return (FALSE); + } + if (!xdr_krb5_timestamp(xdrs, &objp->mod_date)) { +@@ -451,12 +451,13 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return (FALSE); + } + if (!xdr_nulltype(xdrs, (void **) &objp->tl_data, +- xdr_krb5_tl_data)) { ++ (xdrproc_t)xdr_krb5_tl_data)) { + return FALSE; + } + n = objp->n_key_data; + r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, +- sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); ++ sizeof(krb5_key_data), ++ (xdrproc_t)xdr_krb5_key_data_nocontents); + objp->n_key_data = n; + if (!r) { + return (FALSE); +@@ -528,7 +529,7 @@ _xdr_kadm5_policy_ent_rec(XDR *xdrs, kadm5_policy_ent_rec *objp, int vers) + return (FALSE); + } + if (!xdr_nulltype(xdrs, (void **) &objp->tl_data, +- xdr_krb5_tl_data)) { ++ (xdrproc_t)xdr_krb5_tl_data)) { + return FALSE; + } + } +@@ -576,7 +577,7 @@ xdr_cprinc3_arg(XDR *xdrs, cprinc3_arg *objp) + if (!xdr_array(xdrs, (caddr_t *)&objp->ks_tuple, + (unsigned int *)&objp->n_ks_tuple, ~0, + sizeof(krb5_key_salt_tuple), +- xdr_krb5_key_salt_tuple)) { ++ (xdrproc_t)xdr_krb5_key_salt_tuple)) { + return (FALSE); + } + if (!xdr_nullstring(xdrs, &objp->passwd)) { +@@ -668,7 +669,7 @@ xdr_gprincs_ret(XDR *xdrs, gprincs_ret *objp) + } + if (!xdr_array(xdrs, (caddr_t *) &objp->princs, + (unsigned int *) &objp->count, ~0, +- sizeof(char *), xdr_nullstring)) { ++ sizeof(char *), (xdrproc_t)xdr_nullstring)) { + return (FALSE); + } + } +@@ -706,7 +707,7 @@ xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp) + if (!xdr_array(xdrs, (caddr_t *)&objp->ks_tuple, + (unsigned int*)&objp->n_ks_tuple, ~0, + sizeof(krb5_key_salt_tuple), +- xdr_krb5_key_salt_tuple)) { ++ (xdrproc_t)xdr_krb5_key_salt_tuple)) { + return (FALSE); + } + if (!xdr_nullstring(xdrs, &objp->pass)) { +@@ -726,7 +727,7 @@ xdr_setkey_arg(XDR *xdrs, setkey_arg *objp) + } + if (!xdr_array(xdrs, (caddr_t *) &objp->keyblocks, + (unsigned int *) &objp->n_keys, ~0, +- sizeof(krb5_keyblock), xdr_krb5_keyblock)) { ++ sizeof(krb5_keyblock), (xdrproc_t)xdr_krb5_keyblock)) { + return (FALSE); + } + return (TRUE); +@@ -746,12 +747,13 @@ xdr_setkey3_arg(XDR *xdrs, setkey3_arg *objp) + } + if (!xdr_array(xdrs, (caddr_t *) &objp->ks_tuple, + (unsigned int *) &objp->n_ks_tuple, ~0, +- sizeof(krb5_key_salt_tuple), xdr_krb5_key_salt_tuple)) { ++ sizeof(krb5_key_salt_tuple), ++ (xdrproc_t)xdr_krb5_key_salt_tuple)) { + return (FALSE); + } + if (!xdr_array(xdrs, (caddr_t *) &objp->keyblocks, + (unsigned int *) &objp->n_keys, ~0, +- sizeof(krb5_keyblock), xdr_krb5_keyblock)) { ++ sizeof(krb5_keyblock), (xdrproc_t)xdr_krb5_keyblock)) { + return (FALSE); + } + return (TRUE); +@@ -771,7 +773,8 @@ xdr_setkey4_arg(XDR *xdrs, setkey4_arg *objp) + } + if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, + (unsigned int *) &objp->n_key_data, ~0, +- sizeof(kadm5_key_data), xdr_kadm5_key_data)) { ++ sizeof(kadm5_key_data), ++ (xdrproc_t)xdr_kadm5_key_data)) { + return FALSE; + } + return TRUE; +@@ -804,7 +807,7 @@ xdr_chrand3_arg(XDR *xdrs, chrand3_arg *objp) + if (!xdr_array(xdrs, (caddr_t *)&objp->ks_tuple, + (unsigned int*)&objp->n_ks_tuple, ~0, + sizeof(krb5_key_salt_tuple), +- xdr_krb5_key_salt_tuple)) { ++ (xdrproc_t)xdr_krb5_key_salt_tuple)) { + return (FALSE); + } + return (TRUE); +@@ -822,7 +825,8 @@ xdr_chrand_ret(XDR *xdrs, chrand_ret *objp) + if (objp->code == KADM5_OK) { + if (!xdr_array(xdrs, (char **)&objp->keys, + (unsigned int *)&objp->n_keys, ~0, +- sizeof(krb5_keyblock), xdr_krb5_keyblock)) ++ sizeof(krb5_keyblock), ++ (xdrproc_t)xdr_krb5_keyblock)) + return FALSE; + } + +@@ -965,7 +969,7 @@ xdr_gpols_ret(XDR *xdrs, gpols_ret *objp) + } + if (!xdr_array(xdrs, (caddr_t *) &objp->pols, + (unsigned int *) &objp->count, ~0, +- sizeof(char *), xdr_nullstring)) { ++ sizeof(char *), (xdrproc_t)xdr_nullstring)) { + return (FALSE); + } + } +@@ -1030,7 +1034,7 @@ xdr_gstrings_ret(XDR *xdrs, gstrings_ret *objp) + if (!xdr_array(xdrs, (caddr_t *) &objp->strings, + (unsigned int *) &objp->count, ~0, + sizeof(krb5_string_attr), +- xdr_krb5_string_attr)) { ++ (xdrproc_t)xdr_krb5_string_attr)) { + return (FALSE); + } + } +@@ -1198,7 +1202,8 @@ xdr_getpkeys_ret(XDR *xdrs, getpkeys_ret *objp) + if (objp->code == KADM5_OK) { + if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, + (unsigned int *) &objp->n_key_data, ~0, +- sizeof(kadm5_key_data), xdr_kadm5_key_data)) { ++ sizeof(kadm5_key_data), ++ (xdrproc_t)xdr_kadm5_key_data)) { + return FALSE; + } + } +diff --git a/src/lib/kadm5/misc_free.c b/src/lib/kadm5/misc_free.c +index 74d23760fb..9ac47bb87f 100644 +--- a/src/lib/kadm5/misc_free.c ++++ b/src/lib/kadm5/misc_free.c +@@ -41,9 +41,8 @@ kadm5_free_name_list(void *server_handle, char **names, int count) + } + + /* XXX this ought to be in libkrb5.a, but isn't */ +-kadm5_ret_t krb5_free_key_data_contents(context, key) +- krb5_context context; +- krb5_key_data *key; ++kadm5_ret_t ++krb5_free_key_data_contents(krb5_context context, krb5_key_data *key) + { + int i, idx; + +diff --git a/src/lib/kadm5/srv/adb_xdr.c b/src/lib/kadm5/srv/adb_xdr.c +index fc732971d2..b6ffdb8c7a 100644 +--- a/src/lib/kadm5/srv/adb_xdr.c ++++ b/src/lib/kadm5/srv/adb_xdr.c +@@ -53,8 +53,7 @@ xdr_osa_pw_hist_ent(XDR *xdrs, osa_pw_hist_ent *objp) + { + if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, + (u_int *) &objp->n_key_data, ~0, +- sizeof(krb5_key_data), +- xdr_krb5_key_data)) ++ sizeof(krb5_key_data), (xdrproc_t)xdr_krb5_key_data)) + return (FALSE); + return (TRUE); + } +@@ -88,8 +87,7 @@ xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp) + return (FALSE); + if (!xdr_array(xdrs, (caddr_t *) &objp->old_keys, + (unsigned int *) &objp->old_key_len, ~0, +- sizeof(osa_pw_hist_ent), +- xdr_osa_pw_hist_ent)) ++ sizeof(osa_pw_hist_ent), (xdrproc_t)xdr_osa_pw_hist_ent)) + return (FALSE); + return (TRUE); + } +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 8c3ad3a691..d5bb0b167d 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -30,9 +30,9 @@ static int decrypt_key_data(krb5_context context, + /* + * XXX Functions that ought to be in libkrb5.a, but aren't. + */ +-kadm5_ret_t krb5_copy_key_data_contents(context, from, to) +- krb5_context context; +- krb5_key_data *from, *to; ++kadm5_ret_t ++krb5_copy_key_data_contents(krb5_context context, krb5_key_data *from, ++ krb5_key_data *to) + { + int i, idx; + +@@ -75,10 +75,8 @@ static krb5_tl_data *dup_tl_data(krb5_tl_data *tl) + } + + /* This is in lib/kdb/kdb_cpw.c, but is static */ +-static void cleanup_key_data(context, count, data) +- krb5_context context; +- int count; +- krb5_key_data * data; ++static void ++cleanup_key_data(krb5_context context, int count, krb5_key_data *data) + { + int i; + +diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c +index 7982956062..f2fae832eb 100644 +--- a/src/lib/kadm5/str_conv.c ++++ b/src/lib/kadm5/str_conv.c +@@ -267,11 +267,8 @@ cleanup: + * Salttype may be negative to indicate a search for only a enctype. + */ + krb5_boolean +-krb5_keysalt_is_present(ksaltlist, nksalts, enctype, salttype) +- krb5_key_salt_tuple *ksaltlist; +- krb5_int32 nksalts; +- krb5_enctype enctype; +- krb5_int32 salttype; ++krb5_keysalt_is_present(krb5_key_salt_tuple *ksaltlist, krb5_int32 nksalts, ++ krb5_enctype enctype, krb5_int32 salttype) + { + krb5_boolean foundit; + int i; +@@ -375,12 +372,11 @@ cleanup: + * If ignoresalt set, then salttype is ignored. + */ + krb5_error_code +-krb5_keysalt_iterate(ksaltlist, nksalt, ignoresalt, iterator, arg) +- krb5_key_salt_tuple *ksaltlist; +- krb5_int32 nksalt; +- krb5_boolean ignoresalt; +- krb5_error_code (*iterator) (krb5_key_salt_tuple *, krb5_pointer); +- krb5_pointer arg; ++krb5_keysalt_iterate(krb5_key_salt_tuple *ksaltlist, krb5_int32 nksalt, ++ krb5_boolean ignoresalt, ++ krb5_error_code (*iterator)(krb5_key_salt_tuple *, ++ void *), ++ void *arg) + { + int i; + krb5_error_code kret; +diff --git a/src/lib/kadm5/t_kadm5.c b/src/lib/kadm5/t_kadm5.c +index 153147ffbf..b3ab1004f3 100644 +--- a/src/lib/kadm5/t_kadm5.c ++++ b/src/lib/kadm5/t_kadm5.c +@@ -276,7 +276,7 @@ cpw_test_succeed(char *user, krb5_principal princ, char *pass) + } + + static void +-test_chpass() ++test_chpass(void) + { + krb5_principal princ = parse_princ("chpass-test"); + krb5_principal hist_princ = parse_princ("kadmin/history"); +@@ -334,7 +334,7 @@ cpol_test_compare(char *user, kadm5_policy_ent_t ent, uint32_t mask) + } + + static void +-test_create_policy() ++test_create_policy(void) + { + void *handle; + kadm5_policy_ent_rec ent; +@@ -440,7 +440,7 @@ cprinc_test_compare(char *user, kadm5_principal_ent_t ent, uint32_t mask, + } + + static void +-test_create_principal() ++test_create_principal(void) + { + void *handle; + kadm5_principal_ent_rec ent; +@@ -535,7 +535,7 @@ dpol_test_succeed(char *user, char *name) + } + + static void +-test_delete_policy() ++test_delete_policy(void) + { + krb5_principal princ = parse_princ("delete-policy-test-princ"); + +@@ -587,7 +587,7 @@ dprinc_test_succeed(char *user, krb5_principal princ) + } + + static void +-test_delete_principal() ++test_delete_principal(void) + { + krb5_principal princ = parse_princ("delete-principal-test"); + +@@ -638,7 +638,7 @@ gpol_test_fail(char *user, char *name, krb5_error_code code) + } + + static void +-test_get_policy() ++test_get_policy(void) + { + /* Fails with unknown policy. */ + dpol_test_fail("admin", "unknown-policy", KADM5_UNK_POLICY); +@@ -684,7 +684,7 @@ gprinc_test_fail(char *user, krb5_principal princ, krb5_error_code code) + } + + static void +-test_get_principal() ++test_get_principal(void) + { + void *handle; + kadm5_principal_ent_rec ent; +@@ -743,7 +743,7 @@ test_get_principal() + } + + static void +-test_init_destroy() ++test_init_destroy(void) + { + krb5_context ctx; + kadm5_ret_t ret; +@@ -1019,7 +1019,7 @@ mpol_test_compare(void *handle, kadm5_policy_ent_t ent, uint32_t mask) + } + + static void +-test_modify_policy() ++test_modify_policy(void) + { + kadm5_policy_ent_rec ent; + +@@ -1109,7 +1109,7 @@ mprinc_test_compare(char *user, kadm5_principal_ent_t ent, uint32_t mask) + } + + static void +-test_modify_principal() ++test_modify_principal(void) + { + void *handle; + krb5_principal princ = parse_princ("modify-principal-test"); +@@ -1233,7 +1233,7 @@ rnd_test_succeed(char *user, krb5_principal princ) + } + + static void +-test_randkey() ++test_randkey(void) + { + void *handle; + krb5_principal princ = parse_princ("randkey-principal-test"); +diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c +index 415ae64e22..0837f567cc 100644 +--- a/src/lib/kdb/kdb5.c ++++ b/src/lib/kdb/kdb5.c +@@ -75,13 +75,13 @@ free_mkey_list(krb5_context context, krb5_keylist_node *mkey_list) + } + + int +-kdb_init_lock_list() ++kdb_init_lock_list(void) + { + return k5_mutex_finish_init(&db_lock); + } + + static int +-kdb_lock_list() ++kdb_lock_list(void) + { + int err; + err = CALL_INIT_FUNCTION (kdb_init_lock_list); +@@ -92,14 +92,14 @@ kdb_lock_list() + } + + void +-kdb_fini_lock_list() ++kdb_fini_lock_list(void) + { + if (INITIALIZER_RAN(kdb_init_lock_list)) + k5_mutex_destroy(&db_lock); + } + + static void +-kdb_unlock_list() ++kdb_unlock_list(void) + { + k5_mutex_unlock(&db_lock); + } +diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c +index 450860f470..c33c7cf8d0 100644 +--- a/src/lib/kdb/kdb_cpw.c ++++ b/src/lib/kdb/kdb_cpw.c +@@ -57,10 +57,7 @@ + enum save { DISCARD_ALL, KEEP_LAST_KVNO, KEEP_ALL }; + + int +-krb5_db_get_key_data_kvno(context, count, data) +- krb5_context context; +- int count; +- krb5_key_data * data; ++krb5_db_get_key_data_kvno(krb5_context context, int count, krb5_key_data *data) + { + int i, kvno; + /* Find last key version number */ +@@ -73,10 +70,7 @@ krb5_db_get_key_data_kvno(context, count, data) + } + + static void +-cleanup_key_data(context, count, data) +- krb5_context context; +- int count; +- krb5_key_data * data; ++cleanup_key_data(krb5_context context, int count, krb5_key_data *data) + { + int i; + +@@ -149,13 +143,9 @@ preserve_old_keys(krb5_context context, krb5_keyblock *mkey, + } + + static krb5_error_code +-add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno) +- krb5_context context; +- krb5_keyblock * master_key; +- krb5_key_salt_tuple * ks_tuple; +- int ks_tuple_count; +- krb5_db_entry * db_entry; +- int kvno; ++add_key_rnd(krb5_context context, krb5_keyblock *master_key, ++ krb5_key_salt_tuple *ks_tuple, int ks_tuple_count, ++ krb5_db_entry *db_entry, int kvno) + { + krb5_keyblock key; + int i, j; +@@ -246,15 +236,9 @@ make_random_salt(krb5_context context, krb5_keysalt *salt_out) + * If passwd is NULL the assumes that the caller wants a random password. + */ + static krb5_error_code +-add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, +- db_entry, kvno) +- krb5_context context; +- krb5_keyblock * master_key; +- krb5_key_salt_tuple * ks_tuple; +- int ks_tuple_count; +- const char * passwd; +- krb5_db_entry * db_entry; +- int kvno; ++add_key_pwd(krb5_context context, krb5_keyblock *master_key, ++ krb5_key_salt_tuple *ks_tuple, int ks_tuple_count, ++ const char *passwd, krb5_db_entry *db_entry, int kvno) + { + krb5_error_code retval; + krb5_keysalt key_salt; +diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c +index a623e001ec..346cf962e8 100644 +--- a/src/lib/kdb/keytab.c ++++ b/src/lib/kdb/keytab.c +@@ -71,10 +71,7 @@ krb5_db_register_keytab(krb5_context context) + } + + krb5_error_code +-krb5_ktkdb_resolve(context, name, id) +- krb5_context context; +- const char * name; +- krb5_keytab * id; ++krb5_ktkdb_resolve(krb5_context context, const char *name, krb5_keytab *id) + { + if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL) + return(ENOMEM); +@@ -84,9 +81,7 @@ krb5_ktkdb_resolve(context, name, id) + } + + krb5_error_code +-krb5_ktkdb_close(context, kt) +- krb5_context context; +- krb5_keytab kt; ++krb5_ktkdb_close(krb5_context context, krb5_keytab kt) + { + /* + * This routine is responsible for freeing all memory allocated +@@ -119,13 +114,9 @@ krb5_ktkdb_set_context(krb5_context ctx) + } + + krb5_error_code +-krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) +- krb5_context in_context; +- krb5_keytab id; +- krb5_const_principal principal; +- krb5_kvno kvno; +- krb5_enctype enctype; +- krb5_keytab_entry * entry; ++krb5_ktkdb_get_entry(krb5_context in_context, krb5_keytab id, ++ krb5_const_principal principal, krb5_kvno kvno, ++ krb5_enctype enctype, krb5_keytab_entry *entry) + { + krb5_context context; + krb5_error_code kerror = 0; +diff --git a/src/lib/kdb/t_stringattr.c b/src/lib/kdb/t_stringattr.c +index 11740368ea..2c643018b5 100644 +--- a/src/lib/kdb/t_stringattr.c ++++ b/src/lib/kdb/t_stringattr.c +@@ -38,7 +38,7 @@ + */ + + int +-main() ++main(void) + { + krb5_db_entry *ent; + krb5_context context; +diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c +index fc2d248001..c5446b890c 100644 +--- a/src/lib/krad/packet.c ++++ b/src/lib/krad/packet.c +@@ -200,7 +200,7 @@ auth_generate_response(krb5_context ctx, const char *secret, + + /* Create a new packet. */ + static krad_packet * +-packet_new() ++packet_new(void) + { + krad_packet *pkt; + +diff --git a/src/lib/krad/t_attr.c b/src/lib/krad/t_attr.c +index 4d285ad9de..d5dd99a174 100644 +--- a/src/lib/krad/t_attr.c ++++ b/src/lib/krad/t_attr.c +@@ -40,7 +40,7 @@ const static unsigned char auth[] = { + }; + + int +-main() ++main(void) + { + unsigned char outbuf[MAX_ATTRSETSIZE]; + const char *decoded = "accept"; +diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c +index 0f95762534..4cdb8b7d8e 100644 +--- a/src/lib/krad/t_attrset.c ++++ b/src/lib/krad/t_attrset.c +@@ -40,7 +40,7 @@ const static unsigned char encpass[] = { + }; + + int +-main() ++main(void) + { + unsigned char buffer[KRAD_PACKET_SIZE_MAX], encoded[MAX_ATTRSETSIZE]; + const char *username = "testUser", *password = "accept"; +diff --git a/src/lib/krad/t_code.c b/src/lib/krad/t_code.c +index b245a7efc0..6cd522af55 100644 +--- a/src/lib/krad/t_code.c ++++ b/src/lib/krad/t_code.c +@@ -30,7 +30,7 @@ + #include "t_test.h" + + int +-main() ++main(void) + { + const char *tmp; + +diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c +index 1dadeef64f..ab3cda6fef 100644 +--- a/src/lib/krb5/ccache/cc_keyring.c ++++ b/src/lib/krb5/ccache/cc_keyring.c +@@ -314,7 +314,7 @@ get_persistent_real(uid_t uid) + * for the session anchor. + */ + static key_serial_t +-session_write_anchor() ++session_write_anchor(void) + { + key_serial_t s, u; + +diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c +index 3bb7a38d44..1286e9e383 100644 +--- a/src/lib/krb5/krb/plugin.c ++++ b/src/lib/krb5/krb/plugin.c +@@ -355,7 +355,7 @@ load_if_needed(krb5_context context, struct plugin_mapping *map, + krb5_error_code ret; + char *symname = NULL; + struct plugin_file_handle *handle = NULL; +- void (*initvt_fn)(); ++ void (*initvt_fn)(void); + + if (map->module != NULL || map->dyn_path == NULL) + return; +diff --git a/src/lib/krb5/krb/t_authdata.c b/src/lib/krb5/krb/t_authdata.c +index dd834b9b0c..44f4a1cbd6 100644 +--- a/src/lib/krb5/krb/t_authdata.c ++++ b/src/lib/krb5/krb/t_authdata.c +@@ -74,7 +74,7 @@ static void compare_authdata(const krb5_authdata *adc1, krb5_authdata *adc2) { + } + + int +-main() ++main(void) + { + krb5_context context; + krb5_authdata **results; +diff --git a/src/lib/krb5/krb/t_response_items.c b/src/lib/krb5/krb/t_response_items.c +index 0deb9292a1..a6b02ca055 100644 +--- a/src/lib/krb5/krb/t_response_items.c ++++ b/src/lib/krb5/krb/t_response_items.c +@@ -61,7 +61,7 @@ nstrcmp(const char *a, const char *b) + } + + int +-main() ++main(void) + { + k5_response_items *ri; + +diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c +index d6746b74bd..9780c2e564 100644 +--- a/src/lib/krb5/krb/t_ser.c ++++ b/src/lib/krb5/krb/t_ser.c +@@ -195,7 +195,7 @@ ser_checksum(krb5_checksum *cksum) + } + + static void +-ser_context_test() ++ser_context_test(void) + { + krb5_context context; + profile_t sprofile; +@@ -216,7 +216,7 @@ ser_context_test() + } + + static void +-ser_acontext_test() ++ser_acontext_test(void) + { + krb5_auth_context actx; + krb5_address local_address; +@@ -306,7 +306,7 @@ ser_acontext_test() + } + + static void +-ser_princ_test() ++ser_princ_test(void) + { + krb5_principal princ; + char pname[1024]; +@@ -320,7 +320,7 @@ ser_princ_test() + } + + static void +-ser_cksum_test() ++ser_cksum_test(void) + { + krb5_checksum checksum; + krb5_octet ckdata[24]; +diff --git a/src/lib/krb5/krb/t_sname_match.c b/src/lib/krb5/krb/t_sname_match.c +index 021b720d65..ee5623c158 100644 +--- a/src/lib/krb5/krb/t_sname_match.c ++++ b/src/lib/krb5/krb/t_sname_match.c +@@ -80,7 +80,7 @@ struct test { + }; + + int +-main() ++main(void) + { + size_t i; + struct test *t; +diff --git a/src/lib/krb5/krb/t_valid_times.c b/src/lib/krb5/krb/t_valid_times.c +index e4b5f1bce4..1a8036e811 100644 +--- a/src/lib/krb5/krb/t_valid_times.c ++++ b/src/lib/krb5/krb/t_valid_times.c +@@ -36,7 +36,7 @@ + #define BOUNDARY (uint32_t)INT32_MIN + + int +-main() ++main(void) + { + krb5_error_code ret; + krb5_context context; +diff --git a/src/lib/krb5/rcache/t_memrcache.c b/src/lib/krb5/rcache/t_memrcache.c +index 6f212b0ecd..665da75ea5 100644 +--- a/src/lib/krb5/rcache/t_memrcache.c ++++ b/src/lib/krb5/rcache/t_memrcache.c +@@ -33,7 +33,7 @@ + #include "memrcache.c" + + int +-main() ++main(void) + { + krb5_error_code ret; + krb5_context context; +diff --git a/src/lib/rpc/auth_gss.c b/src/lib/rpc/auth_gss.c +index 319bc759b1..f61322d82b 100644 +--- a/src/lib/rpc/auth_gss.c ++++ b/src/lib/rpc/auth_gss.c +@@ -445,9 +445,9 @@ authgss_refresh(AUTH *auth, struct rpc_msg *msg) + memset(&gr, 0, sizeof(gr)); + + call_stat = clnt_call(gd->clnt, NULLPROC, +- xdr_rpc_gss_init_args, ++ (xdrproc_t)xdr_rpc_gss_init_args, + &send_token, +- xdr_rpc_gss_init_res, ++ (xdrproc_t)xdr_rpc_gss_init_res, + (caddr_t)&gr, AUTH_TIMEOUT); + + gss_release_buffer(&min_stat, &send_token); +diff --git a/src/lib/rpc/auth_gssapi.c b/src/lib/rpc/auth_gssapi.c +index 8ab7ab5ba7..b5e03b9641 100644 +--- a/src/lib/rpc/auth_gssapi.c ++++ b/src/lib/rpc/auth_gssapi.c +@@ -283,11 +283,11 @@ next_token: + + PRINTF(("gssapi_create: calling GSSAPI_INIT (%d)\n", init_func)); + +- xdr_free(xdr_authgssapi_init_res, &call_res); ++ xdr_free((xdrproc_t)xdr_authgssapi_init_res, &call_res); + memset(&call_res, 0, sizeof(call_res)); + callstat = clnt_call(clnt, init_func, +- xdr_authgssapi_init_arg, &call_arg, +- xdr_authgssapi_init_res, &call_res, ++ (xdrproc_t)xdr_authgssapi_init_arg, &call_arg, ++ (xdrproc_t)xdr_authgssapi_init_res, &call_res, + timeout); + gss_release_buffer(minor_stat, &call_arg.token); + +@@ -436,7 +436,7 @@ next_token: + /* don't assume the caller will want to change clnt->cl_auth */ + clnt->cl_auth = save_auth; + +- xdr_free(xdr_authgssapi_init_res, &call_res); ++ xdr_free((xdrproc_t)xdr_authgssapi_init_res, &call_res); + return auth; + + /******************************************************************/ +@@ -458,7 +458,7 @@ cleanup: + if (rpc_createerr.cf_stat == 0) + rpc_createerr.cf_stat = RPC_AUTHERROR; + +- xdr_free(xdr_authgssapi_init_res, &call_res); ++ xdr_free((xdrproc_t)xdr_authgssapi_init_res, &call_res); + return auth; + } + +@@ -760,7 +760,7 @@ skip_call: + static bool_t auth_gssapi_wrap( + AUTH *auth, + XDR *out_xdrs, +- bool_t (*xdr_func)(), ++ xdrproc_t xdr_func, + caddr_t xdr_ptr) + { + OM_uint32 gssstat, minor_stat; +@@ -791,7 +791,7 @@ static bool_t auth_gssapi_wrap( + static bool_t auth_gssapi_unwrap( + AUTH *auth, + XDR *in_xdrs, +- bool_t (*xdr_func)(), ++ xdrproc_t xdr_func, + caddr_t xdr_ptr) + { + OM_uint32 gssstat, minor_stat; +diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c +index a60eb7f7cb..57fc1fb39f 100644 +--- a/src/lib/rpc/auth_gssapi_misc.c ++++ b/src/lib/rpc/auth_gssapi_misc.c +@@ -199,7 +199,7 @@ bool_t auth_gssapi_wrap_data( + gss_ctx_id_t context, + uint32_t seq_num, + XDR *out_xdrs, +- bool_t (*xdr_func)(), ++ xdrproc_t xdr_func, + caddr_t xdr_ptr) + { + gss_buffer_desc in_buf, out_buf; +@@ -267,7 +267,7 @@ bool_t auth_gssapi_unwrap_data( + gss_ctx_id_t context, + uint32_t seq_num, + XDR *in_xdrs, +- bool_t (*xdr_func)(), ++ xdrproc_t xdr_func, + caddr_t xdr_ptr) + { + gss_buffer_desc in_buf, out_buf; +diff --git a/src/lib/rpc/authunix_prot.c b/src/lib/rpc/authunix_prot.c +index 512d5a51b7..92276c3ad4 100644 +--- a/src/lib/rpc/authunix_prot.c ++++ b/src/lib/rpc/authunix_prot.c +@@ -58,7 +58,8 @@ xdr_authunix_parms(XDR *xdrs, struct authunix_parms *p) + && xdr_int(xdrs, &(p->aup_uid)) + && xdr_int(xdrs, &(p->aup_gid)) + && xdr_array(xdrs, (caddr_t *)&(p->aup_gids), +- &(p->aup_len), NGRPS, sizeof(int), xdr_int) ) { ++ &(p->aup_len), NGRPS, sizeof(int), ++ (xdrproc_t)xdr_int)) { + return (TRUE); + } + return (FALSE); +diff --git a/src/lib/rpc/clnt_perror.c b/src/lib/rpc/clnt_perror.c +index fcc3657464..912b267867 100644 +--- a/src/lib/rpc/clnt_perror.c ++++ b/src/lib/rpc/clnt_perror.c +@@ -76,7 +76,6 @@ char * + clnt_sperror(CLIENT *rpch, char *s) + { + struct rpc_err e; +- void clnt_perrno(); + char *err; + char *bufstart = get_buf(); + char *str = bufstart; +diff --git a/src/lib/rpc/clnt_raw.c b/src/lib/rpc/clnt_raw.c +index dcbb5cf23d..7e62a5c776 100644 +--- a/src/lib/rpc/clnt_raw.c ++++ b/src/lib/rpc/clnt_raw.c +@@ -80,7 +80,7 @@ static struct clnt_ops client_ops = { + clntraw_control + }; + +-void svc_getreq(); ++void svc_getreq(int); + + /* + * Create a client handle for memory based rpc. +diff --git a/src/lib/rpc/dyn.c b/src/lib/rpc/dyn.c +index bce1fd2a7d..a505f34817 100644 +--- a/src/lib/rpc/dyn.c ++++ b/src/lib/rpc/dyn.c +@@ -30,10 +30,8 @@ + /* + * Made obsolete by DynInsert, now just a convenience function. + */ +-int DynAppend(obj, els, num) +- DynObjectP obj; +- DynPtr els; +- int num; ++int ++DynAppend(DynObjectP obj, DynPtr els, int num) + { + return DynInsert(obj, DynSize(obj), els, num); + } +@@ -52,8 +50,8 @@ int DynAppend(obj, els, num) + + static int default_increment = DEFAULT_INC; + +-DynObjectP DynCreate(el_size, inc) +- int el_size, inc; ++DynObjectP ++DynCreate(int el_size, int inc) + { + DynObjectP obj; + +@@ -77,8 +75,8 @@ DynObjectP DynCreate(el_size, inc) + return obj; + } + +-DynObjectP DynCopy(obj) +- DynObjectP obj; ++DynObjectP ++DynCopy(DynObjectP obj) + { + DynObjectP obj1; + +@@ -104,8 +102,8 @@ DynObjectP DynCopy(obj) + return obj1; + } + +-int DynDestroy(obj) +- /*@only@*/DynObjectP obj; ++int ++DynDestroy(/*@only@*/DynObjectP obj) + { + if (obj->paranoid) { + if (obj->debug) +@@ -118,8 +116,8 @@ int DynDestroy(obj) + return DYN_OK; + } + +-int DynRelease(obj) +- DynObjectP obj; ++int ++DynRelease(DynObjectP obj) + { + if (obj->debug) + fprintf(stderr, "dyn: release: freeing object structure.\n"); +@@ -134,9 +132,8 @@ int DynRelease(obj) + * contains the source code for the function DynDebug(). + */ + +-int DynDebug(obj, state) +- DynObjectP obj; +- int state; ++int ++DynDebug(DynObjectP obj, int state) + { + obj->debug = state; + +@@ -155,9 +152,8 @@ int DynDebug(obj, state) + * Checkers! Get away from that "hard disk erase" button! + * (Stupid dog. He almost did it to me again ...) + */ +-int DynDelete(obj, idx) +- DynObjectP obj; +- int idx; ++int ++DynDelete(DynObjectP obj, int idx) + { + if (idx < 0) { + if (obj->debug) +@@ -219,9 +215,8 @@ int DynDelete(obj, idx) + * contains the source code for the function DynInitZero(). + */ + +-int DynInitzero(obj, state) +- DynObjectP obj; +- int state; ++int ++DynInitzero(DynObjectP obj, int state) + { + obj->initzero = state; + +@@ -237,10 +232,8 @@ int DynInitzero(obj, state) + * contains the source code for the function DynInsert(). + */ + +-int DynInsert(obj, idx, els_in, num) +- DynObjectP obj; +- void *els_in; +- int idx, num; ++int ++DynInsert(DynObjectP obj, int idx, void *els_in, int num) + { + DynPtr els = (DynPtr) els_in; + int ret; +@@ -290,9 +283,8 @@ int DynInsert(obj, idx, els_in, num) + * contains the source code for the function DynDebug(). + */ + +-int DynParanoid(obj, state) +- DynObjectP obj; +- int state; ++int ++DynParanoid(DynObjectP obj, int state) + { + obj->paranoid = state; + +@@ -308,8 +300,8 @@ int DynParanoid(obj, state) + * contains the source code for the functions DynGet() and DynAdd(). + */ + +-DynPtr DynArray(obj) +- DynObjectP obj; ++DynPtr ++DynArray(DynObjectP obj) + { + if (obj->debug) + fprintf(stderr, "dyn: array: returning array pointer %p.\n", +@@ -318,9 +310,8 @@ DynPtr DynArray(obj) + return obj->array; + } + +-DynPtr DynGet(obj, num) +- DynObjectP obj; +- int num; ++DynPtr ++DynGet(DynObjectP obj, int num) + { + if (num < 0) { + if (obj->debug) +@@ -342,9 +333,7 @@ DynPtr DynGet(obj, num) + return (DynPtr) obj->array + obj->el_size*num; + } + +-int DynAdd(obj, el) +- DynObjectP obj; +- void *el; ++int DynAdd(DynObjectP obj, void *el) + { + int ret; + +@@ -364,10 +353,8 @@ int DynAdd(obj, el) + * obj->num_el) will not be updated properly and many other functions + * in the library will lose. Have a nice day. + */ +-int DynPut(obj, el_in, idx) +- DynObjectP obj; +- void *el_in; +- int idx; ++int ++DynPut(DynObjectP obj, void *el_in, int idx) + { + DynPtr el = (DynPtr) el_in; + int ret; +@@ -397,9 +384,8 @@ int DynPut(obj, el_in, idx) + /* + * Resize the array so that element req exists. + */ +-int _DynResize(obj, req) +- DynObjectP obj; +- int req; ++int ++_DynResize(DynObjectP obj, int req) + { + int size; + +@@ -430,9 +416,8 @@ int _DynResize(obj, req) + * Ideally, this function should not be called from outside the + * library. However, nothing will break if it is. + */ +-int _DynRealloc(obj, num_incs) +- DynObjectP obj; +- int num_incs; ++int ++_DynRealloc(DynObjectP obj, int num_incs) + { + DynPtr temp; + int new_size_in_bytes; +@@ -475,8 +460,8 @@ int _DynRealloc(obj, num_incs) + * contains the source code for the function DynSize(). + */ + +-int DynSize(obj) +- DynObjectP obj; ++int ++DynSize(DynObjectP obj) + { + if (obj->debug) + fprintf(stderr, "dyn: size: returning size %d.\n", obj->num_el); +@@ -484,8 +469,8 @@ int DynSize(obj) + return obj->num_el; + } + +-int DynCapacity(obj) +- DynObjectP obj; ++int ++DynCapacity(DynObjectP obj) + { + if (obj->debug) + fprintf(stderr, "dyn: capacity: returning cap of %d.\n", obj->size); +diff --git a/src/lib/rpc/pmap_clnt.c b/src/lib/rpc/pmap_clnt.c +index 952a251453..5c3bba3528 100644 +--- a/src/lib/rpc/pmap_clnt.c ++++ b/src/lib/rpc/pmap_clnt.c +@@ -54,8 +54,6 @@ static char sccsid[] = "@(#)pmap_clnt.c 1.37 87/08/11 Copyr 1984 Sun Micro"; + static struct timeval timeout = { 5, 0 }; + static struct timeval tottimeout = { 60, 0 }; + +-void clnt_perror(); +- + /* + * Set a mapping between program,version and port. + * Calls the pmap service remotely to do the mapping. +@@ -128,7 +126,8 @@ pmap_set( + } + } + #endif +- if (CLNT_CALL(client, PMAPPROC_SET, xdr_pmap, &parms, xdr_bool, &rslt, ++ if (CLNT_CALL(client, PMAPPROC_SET, (xdrproc_t)xdr_pmap, &parms, ++ (xdrproc_t)xdr_bool, &rslt, + tottimeout) != RPC_SUCCESS) { + clnt_perror(client, "Cannot register service"); + return (FALSE); +@@ -161,8 +160,8 @@ pmap_unset( + parms.pm_prog = program; + parms.pm_vers = version; + parms.pm_port = parms.pm_prot = 0; +- CLNT_CALL(client, PMAPPROC_UNSET, xdr_pmap, &parms, xdr_bool, &rslt, +- tottimeout); ++ CLNT_CALL(client, PMAPPROC_UNSET, (xdrproc_t)xdr_pmap, &parms, ++ (xdrproc_t)xdr_bool, &rslt, tottimeout); + CLNT_DESTROY(client); + (void)close(sock); + return (rslt); +diff --git a/src/lib/rpc/pmap_getmaps.c b/src/lib/rpc/pmap_getmaps.c +index b8a9cecf7e..a9c4c52906 100644 +--- a/src/lib/rpc/pmap_getmaps.c ++++ b/src/lib/rpc/pmap_getmaps.c +@@ -77,8 +77,9 @@ pmap_getmaps(struct sockaddr_in *address) + client = clnttcp_create(address, PMAPPROG, + PMAPVERS, &sock, 50, 500); + if (client != (CLIENT *)NULL) { +- if (CLNT_CALL(client, PMAPPROC_DUMP, xdr_void, NULL, xdr_pmaplist, +- &head, minutetimeout) != RPC_SUCCESS) { ++ if (CLNT_CALL(client, PMAPPROC_DUMP, xdr_void, NULL, ++ (xdrproc_t)xdr_pmaplist, &head, ++ minutetimeout) != RPC_SUCCESS) { + clnt_perror(client, "pmap_getmaps rpc problem"); + } + CLNT_DESTROY(client); +diff --git a/src/lib/rpc/pmap_getport.c b/src/lib/rpc/pmap_getport.c +index 66635a1034..2d0792b698 100644 +--- a/src/lib/rpc/pmap_getport.c ++++ b/src/lib/rpc/pmap_getport.c +@@ -79,8 +79,10 @@ pmap_getport( + parms.pm_vers = version; + parms.pm_prot = protocol; + parms.pm_port = 0; /* not needed or used */ +- if (CLNT_CALL(client, PMAPPROC_GETPORT, xdr_pmap, &parms, +- xdr_u_short, &port, tottimeout) != RPC_SUCCESS){ ++ if (CLNT_CALL(client, PMAPPROC_GETPORT, ++ (xdrproc_t)xdr_pmap, &parms, ++ (xdrproc_t)xdr_u_short, &port, ++ tottimeout) != RPC_SUCCESS){ + rpc_createerr.cf_stat = RPC_PMAPFAILURE; + clnt_geterr(client, &rpc_createerr.cf_error); + } else if (port == 0) { +diff --git a/src/lib/rpc/pmap_prot2.c b/src/lib/rpc/pmap_prot2.c +index aeccac6637..3c0c612bec 100644 +--- a/src/lib/rpc/pmap_prot2.c ++++ b/src/lib/rpc/pmap_prot2.c +@@ -109,7 +109,8 @@ xdr_pmaplist(XDR *xdrs, struct pmaplist **rp) + if (freeing) + next = &((*rp)->pml_next); + if (! xdr_reference(xdrs, (caddr_t *)rp, +- (u_int)sizeof(struct pmaplist), xdr_pmap)) ++ (u_int)sizeof(struct pmaplist), ++ (xdrproc_t)xdr_pmap)) + return (FALSE); + rp = (freeing) ? next : &((*rp)->pml_next); + } +diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c +index 8c7e30c21a..434e4eea65 100644 +--- a/src/lib/rpc/pmap_rmt.c ++++ b/src/lib/rpc/pmap_rmt.c +@@ -105,8 +105,9 @@ pmap_rmtcall( + r.port_ptr = port_ptr; + r.results_ptr = resp; + r.xdr_results = xdrres; +- stat = CLNT_CALL(client, PMAPPROC_CALLIT, xdr_rmtcall_args, &a, +- xdr_rmtcallres, &r, tout); ++ stat = CLNT_CALL(client, PMAPPROC_CALLIT, ++ (xdrproc_t)xdr_rmtcall_args, &a, ++ (xdrproc_t)xdr_rmtcallres, &r, tout); + CLNT_DESTROY(client); + } else { + stat = RPC_FAILED; +@@ -161,7 +162,8 @@ xdr_rmtcallres( + + port_ptr = (caddr_t)(void *)crp->port_ptr; + if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t), +- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) { ++ (xdrproc_t)xdr_u_int32) && ++ xdr_u_int32(xdrs, &crp->resultslen)) { + crp->port_ptr = (uint32_t *)(void *)port_ptr; + return ((*(crp->xdr_results))(xdrs, crp->results_ptr)); + } +@@ -343,7 +345,7 @@ clnt_broadcast( + recv_again: + msg.acpted_rply.ar_verf = gssrpc__null_auth; + msg.acpted_rply.ar_results.where = (caddr_t)&r; +- msg.acpted_rply.ar_results.proc = xdr_rmtcallres; ++ msg.acpted_rply.ar_results.proc = (xdrproc_t)xdr_rmtcallres; + readfds = mask; + t2 = t; + switch (select(gssrpc__rpc_dtablesize(), &readfds, (fd_set *)NULL, +diff --git a/src/lib/rpc/rpc_prot.c b/src/lib/rpc/rpc_prot.c +index 9b82e12c34..296968b946 100644 +--- a/src/lib/rpc/rpc_prot.c ++++ b/src/lib/rpc/rpc_prot.c +@@ -132,8 +132,8 @@ xdr_rejected_reply(XDR *xdrs, struct rejected_reply *rr) + } + + static struct xdr_discrim reply_dscrm[3] = { +- { (int)MSG_ACCEPTED, xdr_accepted_reply }, +- { (int)MSG_DENIED, xdr_rejected_reply }, ++ { (int)MSG_ACCEPTED, (xdrproc_t)xdr_accepted_reply }, ++ { (int)MSG_DENIED, (xdrproc_t)xdr_rejected_reply }, + { __dontcare__, NULL_xdrproc_t } }; + + /* +diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c +index cfbc7aad4d..0bcf04e8d4 100644 +--- a/src/lib/rpc/svc.c ++++ b/src/lib/rpc/svc.c +@@ -80,7 +80,7 @@ static struct svc_callout { + struct svc_callout *sc_next; + rpcprog_t sc_prog; + rpcprog_t sc_vers; +- void (*sc_dispatch)(); ++ void (*sc_dispatch)(struct svc_req *, SVCXPRT *); + } *svc_head; + + static struct svc_callout *svc_find(rpcprog_t, rpcvers_t, +@@ -162,7 +162,7 @@ svc_register( + SVCXPRT *xprt, + rpcprog_t prog, + rpcvers_t vers, +- void (*dispatch)(), ++ void (*dispatch)(struct svc_req *, SVCXPRT *), + int protocol) + { + struct svc_callout *prev; +diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c +index aba7694807..98d601c8ab 100644 +--- a/src/lib/rpc/svc_auth_gss.c ++++ b/src/lib/rpc/svc_auth_gss.c +@@ -193,7 +193,7 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst, + /* Deserialize arguments. */ + memset(&recv_tok, 0, sizeof(recv_tok)); + +- if (!svc_getargs(rqst->rq_xprt, xdr_rpc_gss_init_args, ++ if (!svc_getargs(rqst->rq_xprt, (xdrproc_t)xdr_rpc_gss_init_args, + (caddr_t)&recv_tok)) + return (FALSE); + +@@ -209,7 +209,8 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst, + NULL, + NULL); + +- svc_freeargs(rqst->rq_xprt, xdr_rpc_gss_init_args, (caddr_t)&recv_tok); ++ svc_freeargs(rqst->rq_xprt, (xdrproc_t)xdr_rpc_gss_init_args, ++ (caddr_t)&recv_tok); + + log_status("accept_sec_context", gr->gr_major, gr->gr_minor); + if (gr->gr_major != GSS_S_COMPLETE && +@@ -495,7 +496,8 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, + } + *no_dispatch = TRUE; + +- call_stat = svc_sendreply(rqst->rq_xprt, xdr_rpc_gss_init_res, ++ call_stat = svc_sendreply(rqst->rq_xprt, ++ (xdrproc_t)xdr_rpc_gss_init_res, + (caddr_t)&gr); + + gss_release_buffer(&min_stat, &gr.gr_token); +@@ -544,7 +546,7 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, + } + retstat = AUTH_OK; + freegc: +- xdr_free(xdr_rpc_gss_cred, gc); ++ xdr_free((xdrproc_t)xdr_rpc_gss_cred, gc); + log_debug("returning %d from svcauth_gss()", retstat); + return (retstat); + } +diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c +index b7ffee4515..267c1545bd 100644 +--- a/src/lib/rpc/svc_auth_gssapi.c ++++ b/src/lib/rpc/svc_auth_gssapi.c +@@ -201,7 +201,7 @@ enum auth_stat gssrpc__svcauth_gssapi( + if (! xdr_authgssapi_creds(&xdrs, &creds)) { + PRINTF(("svcauth_gssapi: failed decoding creds\n")); + LOG_MISCERR("protocol error in client credentials"); +- xdr_free(xdr_authgssapi_creds, &creds); ++ xdr_free((xdrproc_t)xdr_authgssapi_creds, &creds); + XDR_DESTROY(&xdrs); + ret = AUTH_BADCRED; + goto error; +@@ -223,7 +223,7 @@ enum auth_stat gssrpc__svcauth_gssapi( + if (creds.auth_msg && rqst->rq_proc == AUTH_GSSAPI_EXIT) { + PRINTF(("svcauth_gssapi: GSSAPI_EXIT, cleaning up\n")); + svc_sendreply(rqst->rq_xprt, xdr_void, NULL); +- xdr_free(xdr_authgssapi_creds, &creds); ++ xdr_free((xdrproc_t)xdr_authgssapi_creds, &creds); + cleanup(); + exit(0); + } +@@ -306,7 +306,7 @@ enum auth_stat gssrpc__svcauth_gssapi( + + /* call is for us, deserialize arguments */ + memset(&call_arg, 0, sizeof(call_arg)); +- if (! svc_getargs(rqst->rq_xprt, xdr_authgssapi_init_arg, ++ if (! svc_getargs(rqst->rq_xprt, (xdrproc_t)xdr_authgssapi_init_arg, + &call_arg)) { + PRINTF(("svcauth_gssapi: cannot decode args\n")); + LOG_MISCERR("protocol error in procedure arguments"); +@@ -446,7 +446,7 @@ enum auth_stat gssrpc__svcauth_gssapi( + minor_stat = call_res.gss_minor; + + /* done with call args */ +- xdr_free(xdr_authgssapi_init_arg, &call_arg); ++ xdr_free((xdrproc_t)xdr_authgssapi_init_arg, &call_arg); + + PRINTF(("svcauth_gssapi: accept_sec_context returned %#x %#x\n", + call_res.gss_major, call_res.gss_minor)); +@@ -459,7 +459,7 @@ enum auth_stat gssrpc__svcauth_gssapi( + badauth(call_res.gss_major, call_res.gss_minor, rqst->rq_xprt); + + gss_release_buffer(&minor_stat, &output_token); +- svc_sendreply(rqst->rq_xprt, xdr_authgssapi_init_res, ++ svc_sendreply(rqst->rq_xprt, (xdrproc_t)xdr_authgssapi_init_res, + (caddr_t) &call_res); + *no_dispatch = TRUE; + ret = AUTH_OK; +@@ -492,7 +492,7 @@ enum auth_stat gssrpc__svcauth_gssapi( + } + + PRINTF(("svcauth_gssapi: sending reply\n")); +- svc_sendreply(rqst->rq_xprt, xdr_authgssapi_init_res, ++ svc_sendreply(rqst->rq_xprt, (xdrproc_t)xdr_authgssapi_init_res, + (caddr_t) &call_res); + *no_dispatch = TRUE; + +@@ -583,11 +583,13 @@ enum auth_stat gssrpc__svcauth_gssapi( + case AUTH_GSSAPI_MSG: + PRINTF(("svcauth_gssapi: GSSAPI_MSG, getting args\n")); + memset(&call_arg, 0, sizeof(call_arg)); +- if (! svc_getargs(rqst->rq_xprt, xdr_authgssapi_init_arg, ++ if (! svc_getargs(rqst->rq_xprt, ++ (xdrproc_t)xdr_authgssapi_init_arg, + &call_arg)) { + PRINTF(("svcauth_gssapi: cannot decode args\n")); + LOG_MISCERR("protocol error in call arguments"); +- xdr_free(xdr_authgssapi_init_arg, &call_arg); ++ xdr_free((xdrproc_t)xdr_authgssapi_init_arg, ++ &call_arg); + ret = AUTH_BADCRED; + goto error; + } +@@ -598,7 +600,7 @@ enum auth_stat gssrpc__svcauth_gssapi( + &call_arg.token); + + /* done with call args */ +- xdr_free(xdr_authgssapi_init_arg, &call_arg); ++ xdr_free((xdrproc_t)xdr_authgssapi_init_arg, &call_arg); + + if (gssstat != GSS_S_COMPLETE) { + AUTH_GSSAPI_DISPLAY_STATUS(("processing token", +@@ -641,7 +643,7 @@ enum auth_stat gssrpc__svcauth_gssapi( + if (creds.client_handle.length != 0) { + PRINTF(("svcauth_gssapi: freeing client_handle len %d\n", + (int) creds.client_handle.length)); +- xdr_free(xdr_authgssapi_creds, &creds); ++ xdr_free((xdrproc_t)xdr_authgssapi_creds, &creds); + } + + PRINTF(("\n")); +@@ -651,7 +653,7 @@ error: + if (creds.client_handle.length != 0) { + PRINTF(("svcauth_gssapi: freeing client_handle len %d\n", + (int) creds.client_handle.length)); +- xdr_free(xdr_authgssapi_creds, &creds); ++ xdr_free((xdrproc_t)xdr_authgssapi_creds, &creds); + } + + PRINTF(("\n")); +@@ -1079,7 +1081,7 @@ void svcauth_gssapi_set_log_miscerr_func( + static bool_t svc_auth_gssapi_wrap( + SVCAUTH *auth, + XDR *out_xdrs, +- bool_t (*xdr_func)(), ++ xdrproc_t xdr_func, + caddr_t xdr_ptr) + { + OM_uint32 gssstat, minor_stat; +@@ -1102,7 +1104,7 @@ static bool_t svc_auth_gssapi_wrap( + static bool_t svc_auth_gssapi_unwrap( + SVCAUTH *auth, + XDR *in_xdrs, +- bool_t (*xdr_func)(), ++ xdrproc_t xdr_func, + caddr_t xdr_ptr) + { + svc_auth_gssapi_data *client_data = SVCAUTH_PRIVATE(auth); +diff --git a/src/lib/rpc/svc_simple.c b/src/lib/rpc/svc_simple.c +index 315275f5fd..aa6c0a63d0 100644 +--- a/src/lib/rpc/svc_simple.c ++++ b/src/lib/rpc/svc_simple.c +@@ -48,7 +48,7 @@ static char sccsid[] = "@(#)svc_simple.c 1.18 87/08/11 Copyr 1984 Sun Micro"; + #include + + static struct proglst { +- char *(*p_progname)(); ++ char *(*p_progname)(void *); + int p_prognum; + int p_procnum; + xdrproc_t p_inproc, p_outproc; +@@ -62,7 +62,7 @@ registerrpc( + rpcprog_t prognum, + rpcvers_t versnum, + rpcproc_t procnum, +- char *(*progname)(), ++ char *(*progname)(void *), + xdrproc_t inproc, + xdrproc_t outproc) + { +diff --git a/src/lib/rpc/unit-test/client.c b/src/lib/rpc/unit-test/client.c +index c9a812bc5a..9b907bcdc6 100644 +--- a/src/lib/rpc/unit-test/client.c ++++ b/src/lib/rpc/unit-test/client.c +@@ -42,7 +42,7 @@ char *whoami; + #ifdef __GNUC__ + __attribute__((noreturn)) + #endif +-static void usage() ++static void usage(void) + { + fprintf(stderr, "usage: %s {-t|-u} [-a] [-s num] [-m num] host service [count]\n", + whoami); +@@ -50,9 +50,7 @@ static void usage() + } + + int +-main(argc, argv) +- int argc; +- char **argv; ++main(int argc, char **argv) + { + char *host, *port, *target, *echo_arg, **echo_resp, buf[BIG_BUF]; + CLIENT *clnt; +@@ -172,7 +170,7 @@ main(argc, argv) + strcmp(echo_arg, (*echo_resp) + 6) != 0) + fprintf(stderr, "RPC_TEST_ECHO call %d response wrong: " + "arg = %s, resp = %s\n", i, echo_arg, *echo_resp); +- gssrpc_xdr_free(xdr_wrapstring, echo_resp); ++ gssrpc_xdr_free((xdrproc_t)xdr_wrapstring, echo_resp); + } + + /* +@@ -194,7 +192,7 @@ main(argc, argv) + clnt_perror(clnt, whoami); + } else { + fprintf(stderr, "bad seq didn't cause failure\n"); +- gssrpc_xdr_free(xdr_wrapstring, echo_resp); ++ gssrpc_xdr_free((xdrproc_t)xdr_wrapstring, echo_resp); + } + + AUTH_PRIVATE(clnt->cl_auth)->seq_num -= 3; +@@ -207,7 +205,7 @@ main(argc, argv) + if (echo_resp == NULL) + clnt_perror(clnt, "Sequence number improperly reset"); + else +- gssrpc_xdr_free(xdr_wrapstring, echo_resp); ++ gssrpc_xdr_free((xdrproc_t)xdr_wrapstring, echo_resp); + + /* + * Now simulate a lost server response, and see if +@@ -219,7 +217,7 @@ main(argc, argv) + if (echo_resp == NULL) + clnt_perror(clnt, "Auto-resynchronization failed"); + else +- gssrpc_xdr_free(xdr_wrapstring, echo_resp); ++ gssrpc_xdr_free((xdrproc_t)xdr_wrapstring, echo_resp); + + /* + * Now make sure auto-resyncrhonization actually worked +@@ -229,7 +227,7 @@ main(argc, argv) + if (echo_resp == NULL) + clnt_perror(clnt, "Auto-resynchronization did not work"); + else +- gssrpc_xdr_free(xdr_wrapstring, echo_resp); ++ gssrpc_xdr_free((xdrproc_t)xdr_wrapstring, echo_resp); + + if (! auth_once) { + tmp_auth = clnt->cl_auth; +@@ -259,7 +257,7 @@ main(argc, argv) + strcmp(echo_arg, (*echo_resp) + 6) != 0) + fprintf(stderr, + "RPC_TEST_LENGTHS call %d response wrong\n", i); +- gssrpc_xdr_free(xdr_wrapstring, echo_resp); ++ gssrpc_xdr_free((xdrproc_t)xdr_wrapstring, echo_resp); + } + + /* cycle from 1 to 255 */ +diff --git a/src/lib/rpc/unit-test/rpc_test_clnt.c b/src/lib/rpc/unit-test/rpc_test_clnt.c +index 4e4a18a720..b9141672b1 100644 +--- a/src/lib/rpc/unit-test/rpc_test_clnt.c ++++ b/src/lib/rpc/unit-test/rpc_test_clnt.c +@@ -5,9 +5,7 @@ + static struct timeval TIMEOUT = { 25, 0 }; + + char ** +-rpc_test_echo_1(argp, clnt) +- char **argp; +- CLIENT *clnt; ++rpc_test_echo_1(char **argp, CLIENT *clnt) + { + static char *clnt_res; + +diff --git a/src/lib/rpc/unit-test/rpc_test_svc.c b/src/lib/rpc/unit-test/rpc_test_svc.c +index c54c0813db..3aa7674c51 100644 +--- a/src/lib/rpc/unit-test/rpc_test_svc.c ++++ b/src/lib/rpc/unit-test/rpc_test_svc.c +@@ -14,16 +14,14 @@ static int _rpcsvcstate = _IDLE; /* Set when a request is serviced */ + static int _rpcsvccount = 0; /* Number of requests being serviced */ + + void +-rpc_test_prog_1_svc(rqstp, transp) +- struct svc_req *rqstp; +- SVCXPRT *transp; ++rpc_test_prog_1_svc(struct svc_req *rqstp, SVCXPRT *transp) + { + union { + char *rpc_test_echo_1_arg; + } argument; + char *result; +- bool_t (*xdr_argument)(), (*xdr_result)(); +- char *(*local)(); ++ xdrproc_t xdr_argument, xdr_result; ++ char *(*local)(char *, struct svc_req *); + + _rpcsvccount++; + switch (rqstp->rq_proc) { +@@ -35,9 +33,9 @@ rpc_test_prog_1_svc(rqstp, transp) + return; + + case RPC_TEST_ECHO: +- xdr_argument = xdr_wrapstring; +- xdr_result = xdr_wrapstring; +- local = (char *(*)()) rpc_test_echo_1_svc; ++ xdr_argument = (xdrproc_t)xdr_wrapstring; ++ xdr_result = (xdrproc_t)xdr_wrapstring; ++ local = (char *(*)(char *, struct svc_req *)) rpc_test_echo_1_svc; + break; + + default: +@@ -53,7 +51,7 @@ rpc_test_prog_1_svc(rqstp, transp) + _rpcsvcstate = _SERVED; + return; + } +- result = (*local)(&argument, rqstp); ++ result = (*local)((char *)&argument, rqstp); + if (result != NULL && !svc_sendreply(transp, xdr_result, result)) { + svcerr_systemerr(transp); + } +diff --git a/src/lib/rpc/unit-test/server.c b/src/lib/rpc/unit-test/server.c +index c3bbcbf8cf..4400b969f6 100644 +--- a/src/lib/rpc/unit-test/server.c ++++ b/src/lib/rpc/unit-test/server.c +@@ -40,7 +40,7 @@ static void rpc_test_badverf(gss_name_t client, gss_name_t server, + #define SERVICE_NAME "host" + #endif + +-static void usage() ++static void usage(void) + { + fprintf(stderr, "Usage: server {-t|-u} [svc-debug] [misc-debug]\n"); + exit(1); +diff --git a/src/lib/rpc/xdr.c b/src/lib/rpc/xdr.c +index 24c3de4bd9..49c31b3d1b 100644 +--- a/src/lib/rpc/xdr.c ++++ b/src/lib/rpc/xdr.c +@@ -579,14 +579,14 @@ xdr_union( + */ + for (; choices->proc != NULL_xdrproc_t; choices++) { + if (choices->value == dscm) +- return ((*(choices->proc))(xdrs, unp, LASTUNSIGNED)); ++ return choices->proc(xdrs, unp); + } + + /* + * no match - execute the default xdr routine if there is one + */ + return ((dfault == NULL_xdrproc_t) ? FALSE : +- (*dfault)(xdrs, unp, LASTUNSIGNED)); ++ (*dfault)(xdrs, unp)); + } + + +diff --git a/src/lib/rpc/xdr_array.c b/src/lib/rpc/xdr_array.c +index aeaa7f2bb0..3507d53aef 100644 +--- a/src/lib/rpc/xdr_array.c ++++ b/src/lib/rpc/xdr_array.c +@@ -113,7 +113,7 @@ xdr_array( + * now we xdr each element of array + */ + for (i = 0; (i < c) && stat; i++) { +- stat = (*elproc)(xdrs, target, LASTUNSIGNED); ++ stat = (*elproc)(xdrs, target); + target += elsize; + } + +@@ -150,7 +150,7 @@ xdr_vector( + + elptr = basep; + for (i = 0; i < nelem; i++) { +- if (! (*xdr_elem)(xdrs, elptr, LASTUNSIGNED)) { ++ if (! (*xdr_elem)(xdrs, elptr)) { + return(FALSE); + } + elptr += elemsize; +diff --git a/src/lib/rpc/xdr_rec.c b/src/lib/rpc/xdr_rec.c +index 1f6a7762fd..185254018a 100644 +--- a/src/lib/rpc/xdr_rec.c ++++ b/src/lib/rpc/xdr_rec.c +@@ -99,7 +99,7 @@ typedef struct rec_strm { + /* + * out-goung bits + */ +- int (*writeit)(); ++ int (*writeit)(caddr_t, caddr_t, int); + caddr_t out_base; /* output buffer (points to frag header) */ + caddr_t out_finger; /* next output position */ + caddr_t out_boundry; /* data cannot up to this address */ +@@ -108,7 +108,7 @@ typedef struct rec_strm { + /* + * in-coming bits + */ +- int (*readit)(); ++ int (*readit)(caddr_t, caddr_t, int); + uint32_t in_size; /* fixed size of the input buffer */ + caddr_t in_base; + caddr_t in_finger; /* location of next byte to be had */ +@@ -140,8 +140,10 @@ xdrrec_create( + u_int sendsize, + u_int recvsize, + caddr_t tcp_handle, +- int (*readit)(), /* like read, but pass it a tcp_handle, not sock */ +- int (*writeit)() /* like write, but pass it a tcp_handle, not sock */ ++ /* like read, but pass it a tcp_handle, not sock */ ++ int (*readit)(caddr_t, caddr_t, int), ++ /* like write, but pass it a tcp_handle, not sock */ ++ int (*writeit)(caddr_t, caddr_t, int) + ) + { + RECSTREAM *rstrm = mem_alloc(sizeof(RECSTREAM)); +@@ -528,8 +530,7 @@ get_input_bytes(RECSTREAM *rstrm, caddr_t addr, int len) + } + + static bool_t /* next four bytes of input stream are treated as a header */ +-set_input_fragment(rstrm) +- RECSTREAM *rstrm; ++set_input_fragment(RECSTREAM *rstrm) + { + uint32_t header; + +diff --git a/src/lib/rpc/xdr_reference.c b/src/lib/rpc/xdr_reference.c +index eff279dadf..f3d4b7dfb8 100644 +--- a/src/lib/rpc/xdr_reference.c ++++ b/src/lib/rpc/xdr_reference.c +@@ -47,8 +47,6 @@ static char sccsid[] = "@(#)xdr_reference.c 1.11 87/08/11 SMI"; + #include + #include + +-#define LASTUNSIGNED ((u_int)0-1) +- + /* + * XDR an indirect pointer + * xdr_reference is for recursively translating a structure that is +@@ -88,7 +86,7 @@ xdr_reference( + break; + } + +- stat = (*proc)(xdrs, loc, LASTUNSIGNED); ++ stat = (*proc)(xdrs, loc); + + if (xdrs->x_op == XDR_FREE) { + mem_free(loc, size); +diff --git a/src/lib/rpc/xdr_sizeof.c b/src/lib/rpc/xdr_sizeof.c +index 5b77fa6ac0..0c460e7cdb 100644 +--- a/src/lib/rpc/xdr_sizeof.c ++++ b/src/lib/rpc/xdr_sizeof.c +@@ -43,9 +43,7 @@ + + /* ARGSUSED */ + static bool_t +-x_putlong(xdrs, longp) +- XDR *xdrs; +- long *longp; ++x_putlong(XDR *xdrs, long *longp) + { + xdrs->x_handy += BYTES_PER_XDR_UNIT; + return (TRUE); +@@ -53,10 +51,7 @@ x_putlong(xdrs, longp) + + /* ARGSUSED */ + static bool_t +-x_putbytes(xdrs, bp, len) +- XDR *xdrs; +- char *bp; +- int len; ++x_putbytes(XDR *xdrs, char *bp, u_int len) + { + xdrs->x_handy += len; + +@@ -64,26 +59,21 @@ x_putbytes(xdrs, bp, len) + } + + static u_int +-x_getpostn(xdrs) +- XDR *xdrs; ++x_getpostn(XDR *xdrs) + { + return (xdrs->x_handy); + } + + /* ARGSUSED */ + static bool_t +-x_setpostn(xdrs, pos) +- XDR *xdrs; +- u_int pos; ++x_setpostn(XDR *xdrs, u_int pos) + { + /* This is not allowed */ + return (FALSE); + } + + static rpc_inline_t * +-x_inline(xdrs, len) +- XDR *xdrs; +- int len; ++x_inline(XDR *xdrs, int len) + { + if (len == 0) { + return (NULL); +@@ -110,15 +100,14 @@ x_inline(xdrs, len) + } + + static int +-harmless() ++harmless(void) + { + /* Always return FALSE/NULL, as the case may be */ + return (0); + } + + static void +-x_destroy(xdrs) +- XDR *xdrs; ++x_destroy(XDR *xdrs) + { + xdrs->x_handy = 0; + xdrs->x_private = NULL; +@@ -130,9 +119,7 @@ x_destroy(xdrs) + } + + unsigned long +-xdr_sizeof(func, data) +- xdrproc_t func; +- void *data; ++xdr_sizeof(xdrproc_t func, void *data) + { + XDR x; + struct xdr_ops ops; +diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c +index 7cf8aa4d99..9b75f34a11 100644 +--- a/src/plugins/kdb/db2/db2_exp.c ++++ b/src/plugins/kdb/db2/db2_exp.c +@@ -68,7 +68,7 @@ k5_mutex_t *krb5_db2_mutex; + return result; \ + } \ + /* hack: decl to allow a following ";" */ \ +- static TYPE wrap_##NAME () ++ static TYPE wrap_##NAME ARGLIST + + /* Two special cases: void (can't assign result), and krb5_error_code + (return error from locking code). */ +@@ -81,7 +81,7 @@ k5_mutex_t *krb5_db2_mutex; + k5_mutex_unlock (krb5_db2_mutex); \ + } \ + /* hack: decl to allow a following ";" */ \ +- static void wrap_##NAME () ++ static void wrap_##NAME ARGLIST + + #define WRAP_K(NAME,ARGLIST,ARGNAMES) \ + WRAP(NAME,krb5_error_code,ARGLIST,ARGNAMES) +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_close.c b/src/plugins/kdb/db2/libdb2/btree/bt_close.c +index 11be134113..f12d74ba32 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_close.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_close.c +@@ -61,8 +61,7 @@ static int bt_meta __P((BTREE *)); + * RET_ERROR, RET_SUCCESS + */ + int +-__bt_close(dbp) +- DB *dbp; ++__bt_close(DB *dbp) + { + BTREE *t; + int fd; +@@ -116,9 +115,7 @@ __bt_close(dbp) + * RET_SUCCESS, RET_ERROR. + */ + int +-__bt_sync(dbp, flags) +- const DB *dbp; +- u_int flags; ++__bt_sync(const DB *dbp, u_int flags) + { + BTREE *t; + int status; +@@ -160,8 +157,7 @@ __bt_sync(dbp, flags) + * RET_ERROR, RET_SUCCESS + */ + static int +-bt_meta(t) +- BTREE *t; ++bt_meta(BTREE *t) + { + BTMETA m; + void *p; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_conv.c b/src/plugins/kdb/db2/libdb2/btree/bt_conv.c +index c0644ed713..99c4af56c0 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_conv.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_conv.c +@@ -59,10 +59,7 @@ static void mswap __P((PAGE *)); + * h: page to convert + */ + void +-__bt_pgin(t, pg, pp) +- void *t; +- db_pgno_t pg; +- void *pp; ++__bt_pgin(void *t, db_pgno_t pg, void *pp) + { + PAGE *h; + indx_t i, top; +@@ -128,10 +125,7 @@ __bt_pgin(t, pg, pp) + } + + void +-__bt_pgout(t, pg, pp) +- void *t; +- db_pgno_t pg; +- void *pp; ++__bt_pgout(void *t, db_pgno_t pg, void *pp) + { + PAGE *h; + indx_t i, top; +@@ -203,8 +197,7 @@ __bt_pgout(t, pg, pp) + * p: page to convert + */ + static void +-mswap(pg) +- PAGE *pg; ++mswap(PAGE *pg) + { + char *p; + +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_delete.c b/src/plugins/kdb/db2/libdb2/btree/bt_delete.c +index 28cc24d15a..f8dd59e85a 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_delete.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_delete.c +@@ -59,10 +59,7 @@ static int __bt_stkacq __P((BTREE *, PAGE **, CURSOR *)); + * Return RET_SPECIAL if the key is not found. + */ + int +-__bt_delete(dbp, key, flags) +- const DB *dbp; +- const DBT *key; +- u_int flags; ++__bt_delete(const DB *dbp, const DBT *key, u_int flags) + { + BTREE *t; + CURSOR *c; +@@ -140,10 +137,7 @@ __bt_delete(dbp, key, flags) + * 0 on success, 1 on failure + */ + static int +-__bt_stkacq(t, hp, c) +- BTREE *t; +- PAGE **hp; +- CURSOR *c; ++__bt_stkacq(BTREE *t, PAGE **hp, CURSOR *c) + { + BINTERNAL *bi; + EPG *e; +@@ -288,9 +282,7 @@ ret: mpool_put(t->bt_mp, h, 0); + * RET_ERROR, RET_SUCCESS and RET_SPECIAL if the key not found. + */ + static int +-__bt_bdelete(t, key) +- BTREE *t; +- const DBT *key; ++__bt_bdelete(BTREE *t, const DBT *key) + { + EPG *e; + PAGE *h; +@@ -375,9 +367,7 @@ loop: if ((e = __bt_search(t, key, &exact)) == NULL) + * mpool_put's the page + */ + static int +-__bt_pdelete(t, h) +- BTREE *t; +- PAGE *h; ++__bt_pdelete(BTREE *t, PAGE *h) + { + BINTERNAL *bi; + PAGE *pg; +@@ -471,11 +461,7 @@ __bt_pdelete(t, h) + * RET_SUCCESS, RET_ERROR. + */ + int +-__bt_dleaf(t, key, h, idx) +- BTREE *t; +- const DBT *key; +- PAGE *h; +- u_int idx; ++__bt_dleaf(BTREE *t, const DBT *key, PAGE *h, u_int idx) + { + BLEAF *bl; + indx_t cnt, *ip, offset; +@@ -536,11 +522,7 @@ __bt_dleaf(t, key, h, idx) + * RET_SUCCESS, RET_ERROR. + */ + static int +-__bt_curdel(t, key, h, idx) +- BTREE *t; +- const DBT *key; +- PAGE *h; +- u_int idx; ++__bt_curdel(BTREE *t, const DBT *key, PAGE *h, u_int idx) + { + CURSOR *c; + EPG e; +@@ -635,9 +617,7 @@ dup2: c->pg.pgno = e.page->pgno; + * h: page to be deleted + */ + int +-__bt_relink(t, h) +- BTREE *t; +- PAGE *h; ++__bt_relink(BTREE *t, PAGE *h) + { + PAGE *pg; + +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_get.c b/src/plugins/kdb/db2/libdb2/btree/bt_get.c +index b6318211a1..012a341b25 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_get.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_get.c +@@ -60,11 +60,7 @@ static char sccsid[] = "@(#)bt_get.c 8.6 (Berkeley) 7/20/94"; + * RET_ERROR, RET_SUCCESS and RET_SPECIAL if the key not found. + */ + int +-__bt_get(dbp, key, data, flags) +- const DB *dbp; +- const DBT *key; +- DBT *data; +- u_int flags; ++__bt_get(const DB *dbp, const DBT *key, DBT *data, u_int flags) + { + BTREE *t; + EPG *e; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +index d5809a5a93..a2910422eb 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -90,10 +90,8 @@ static int tmp __P((void)); + * + */ + DB * +-__bt_open(fname, flags, mode, openinfo, dflags) +- const char *fname; +- int flags, mode, dflags; +- const BTREEINFO *openinfo; ++__bt_open(const char *fname, int flags, int mode, const BTREEINFO *openinfo, ++ int dflags) + { + struct stat sb; + BTMETA m; +@@ -353,8 +351,7 @@ err: if (t) { + * RET_ERROR, RET_SUCCESS + */ + static int +-nroot(t) +- BTREE *t; ++nroot(BTREE *t) + { + PAGE *meta, *root; + db_pgno_t npg; +@@ -459,8 +456,7 @@ byteorder() + } + + int +-__bt_fd(dbp) +- const DB *dbp; ++__bt_fd(const DB *dbp) + { + BTREE *t; + +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_overflow.c b/src/plugins/kdb/db2/libdb2/btree/bt_overflow.c +index 8b1f597912..8301b5d19d 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_overflow.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_overflow.c +@@ -77,12 +77,7 @@ static char sccsid[] = "@(#)bt_overflow.c 8.5 (Berkeley) 7/16/94"; + * RET_ERROR, RET_SUCCESS + */ + int +-__ovfl_get(t, p, ssz, buf, bufsz) +- BTREE *t; +- void *p; +- size_t *ssz; +- void **buf; +- size_t *bufsz; ++__ovfl_get(BTREE *t, void *p, size_t *ssz, void **buf, size_t *bufsz) + { + PAGE *h; + db_pgno_t pg; +@@ -136,10 +131,7 @@ __ovfl_get(t, p, ssz, buf, bufsz) + * RET_ERROR, RET_SUCCESS + */ + int +-__ovfl_put(t, dbt, pg) +- BTREE *t; +- const DBT *dbt; +- db_pgno_t *pg; ++__ovfl_put(BTREE *t, const DBT *dbt, db_pgno_t *pg) + { + PAGE *h, *last; + void *p; +@@ -190,9 +182,7 @@ __ovfl_put(t, dbt, pg) + * RET_ERROR, RET_SUCCESS + */ + int +-__ovfl_delete(t, p) +- BTREE *t; +- void *p; ++__ovfl_delete(BTREE *t, void *p) + { + PAGE *h; + db_pgno_t pg; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_page.c b/src/plugins/kdb/db2/libdb2/btree/bt_page.c +index 3663cf7f93..38aa39acfb 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_page.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_page.c +@@ -57,9 +57,7 @@ static char sccsid[] = "@(#)bt_page.c 8.4 (Berkeley) 11/2/95"; + * mpool_put's the page. + */ + int +-__bt_free(t, h) +- BTREE *t; +- PAGE *h; ++__bt_free(BTREE *t, PAGE *h) + { + /* Insert the page at the head of the free list. */ + h->prevpg = P_INVALID; +@@ -83,9 +81,7 @@ __bt_free(t, h) + * Pointer to a page, NULL on error. + */ + PAGE * +-__bt_new(t, npg) +- BTREE *t; +- db_pgno_t *npg; ++__bt_new(BTREE *t, db_pgno_t *npg) + { + PAGE *h; + +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_put.c b/src/plugins/kdb/db2/libdb2/btree/bt_put.c +index 7d6592841a..1303c0baef 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_put.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_put.c +@@ -64,11 +64,7 @@ static EPG *bt_fast __P((BTREE *, const DBT *, const DBT *, int *)); + * tree and R_NOOVERWRITE specified. + */ + int +-__bt_put(dbp, key, data, flags) +- const DB *dbp; +- DBT *key; +- const DBT *data; +- u_int flags; ++__bt_put(const DB *dbp, DBT *key, const DBT *data, u_int flags) + { + BTREE *t; + DBT tkey, tdata; +@@ -272,10 +268,7 @@ u_long bt_cache_hit, bt_cache_miss; + * EPG for new record or NULL if not found. + */ + static EPG * +-bt_fast(t, key, data, exactp) +- BTREE *t; +- const DBT *key, *data; +- int *exactp; ++bt_fast(BTREE *t, const DBT *key, const DBT *data, int *exactp) + { + PAGE *h; + u_int32_t nbytes; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_search.c b/src/plugins/kdb/db2/libdb2/btree/bt_search.c +index c633d14dc6..ed512ccb65 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_search.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_search.c +@@ -63,10 +63,7 @@ static int __bt_sprev __P((BTREE *, PAGE *, const DBT *, int *)); + * the bt_cur field of the tree. A pointer to the field is returned. + */ + EPG * +-__bt_search(t, key, exactp) +- BTREE *t; +- const DBT *key; +- int *exactp; ++__bt_search(BTREE *t, const DBT *key, int *exactp) + { + PAGE *h; + indx_t base, idx, lim; +@@ -148,11 +145,7 @@ next: BT_PUSH(t, h->pgno, idx); + * If an exact match found. + */ + static int +-__bt_snext(t, h, key, exactp) +- BTREE *t; +- PAGE *h; +- const DBT *key; +- int *exactp; ++__bt_snext(BTREE *t, PAGE *h, const DBT *key, int *exactp) + { + BINTERNAL *bi; + EPG e; +@@ -228,11 +221,7 @@ __bt_snext(t, h, key, exactp) + * If an exact match found. + */ + static int +-__bt_sprev(t, h, key, exactp) +- BTREE *t; +- PAGE *h; +- const DBT *key; +- int *exactp; ++__bt_sprev(BTREE *t, PAGE *h, const DBT *key, int *exactp) + { + BINTERNAL *bi; + EPG e; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_seq.c b/src/plugins/kdb/db2/libdb2/btree/bt_seq.c +index 2c8c2de96c..97db44abc8 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_seq.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_seq.c +@@ -102,10 +102,7 @@ static int bt_rseq_prev(BTREE *, EPG *); + * RET_ERROR, RET_SUCCESS or RET_SPECIAL if there's no next key. + */ + int +-__bt_seq(dbp, key, data, flags) +- const DB *dbp; +- DBT *key, *data; +- u_int flags; ++__bt_seq(const DB *dbp, DBT *key, DBT *data, u_int flags) + { + BTREE *t; + EPG e; +@@ -179,11 +176,7 @@ __bt_seq(dbp, key, data, flags) + * RET_ERROR, RET_SUCCESS or RET_SPECIAL if there's no next key. + */ + static int +-__bt_seqset(t, ep, key, flags) +- BTREE *t; +- EPG *ep; +- DBT *key; +- int flags; ++__bt_seqset(BTREE *t, EPG *ep, DBT *key, int flags) + { + PAGE *h; + db_pgno_t pg; +@@ -273,10 +266,7 @@ __bt_seqset(t, ep, key, flags) + * RET_ERROR, RET_SUCCESS or RET_SPECIAL if there's no next key. + */ + static int +-__bt_seqadv(t, ep, flags) +- BTREE *t; +- EPG *ep; +- int flags; ++__bt_seqadv(BTREE *t, EPG *ep, int flags) + { + CURSOR *c; + PAGE *h; +@@ -495,11 +485,7 @@ bt_rseq_prev(BTREE *t, EPG *ep) + * or RET_SPECIAL if no such key exists. + */ + static int +-__bt_first(t, key, erval, exactp) +- BTREE *t; +- const DBT *key; +- EPG *erval; +- int *exactp; ++__bt_first(BTREE *t, const DBT *key, EPG *erval, int *exactp) + { + PAGE *h, *hprev; + EPG *ep, save; +@@ -596,10 +582,7 @@ __bt_first(t, key, erval, exactp) + * index: page index + */ + void +-__bt_setcur(t, pgno, idx) +- BTREE *t; +- db_pgno_t pgno; +- u_int idx; ++__bt_setcur(BTREE *t, db_pgno_t pgno, u_int idx) + { + /* Lose any already deleted key. */ + if (t->bt_cursor.key.data != NULL) { +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_split.c b/src/plugins/kdb/db2/libdb2/btree/bt_split.c +index c7e4e72a90..8901bd64be 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_split.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_split.c +@@ -79,13 +79,8 @@ u_long bt_rootsplit, bt_split, bt_sortsplit, bt_pfxsaved; + * RET_ERROR, RET_SUCCESS + */ + int +-__bt_split(t, sp, key, data, flags, ilen, argskip) +- BTREE *t; +- PAGE *sp; +- const DBT *key, *data; +- int flags; +- size_t ilen; +- u_int32_t argskip; ++__bt_split(BTREE *t, PAGE *sp, const DBT *key, const DBT *data, int flags, ++ size_t ilen, u_int32_t argskip) + { + BINTERNAL *bi = NULL; + BLEAF *bl = NULL, *tbl; +@@ -345,11 +340,7 @@ err2: mpool_put(t->bt_mp, l, 0); + * Pointer to page in which to insert or NULL on error. + */ + static PAGE * +-bt_page(t, h, lp, rp, skip, ilen) +- BTREE *t; +- PAGE *h, **lp, **rp; +- indx_t *skip; +- size_t ilen; ++bt_page(BTREE *t, PAGE *h, PAGE **lp, PAGE **rp, indx_t *skip, size_t ilen) + { + PAGE *l, *r, *tp; + db_pgno_t npg; +@@ -450,11 +441,7 @@ bt_page(t, h, lp, rp, skip, ilen) + * Pointer to page in which to insert or NULL on error. + */ + static PAGE * +-bt_root(t, h, lp, rp, skip, ilen) +- BTREE *t; +- PAGE *h, **lp, **rp; +- indx_t *skip; +- size_t ilen; ++bt_root(BTREE *t, PAGE *h, PAGE **lp, PAGE **rp, indx_t *skip, size_t ilen) + { + PAGE *l, *r, *tp; + db_pgno_t lnpg, rnpg; +@@ -497,9 +484,7 @@ bt_root(t, h, lp, rp, skip, ilen) + * RET_ERROR, RET_SUCCESS + */ + static int +-bt_rroot(t, h, l, r) +- BTREE *t; +- PAGE *h, *l, *r; ++bt_rroot(BTREE *t, PAGE *h, PAGE *l, PAGE *r) + { + char *dest; + +@@ -537,9 +522,7 @@ bt_rroot(t, h, l, r) + * RET_ERROR, RET_SUCCESS + */ + static int +-bt_broot(t, h, l, r) +- BTREE *t; +- PAGE *h, *l, *r; ++bt_broot(BTREE *t, PAGE *h, PAGE *l, PAGE *r) + { + BINTERNAL *bi; + BLEAF *bl; +@@ -617,11 +600,7 @@ bt_broot(t, h, l, r) + * Pointer to page in which to insert. + */ + static PAGE * +-bt_psplit(t, h, l, r, pskip, ilen) +- BTREE *t; +- PAGE *h, *l, *r; +- indx_t *pskip; +- size_t ilen; ++bt_psplit(BTREE *t, PAGE *h, PAGE *l, PAGE *r, indx_t *pskip, size_t ilen) + { + BINTERNAL *bi; + BLEAF *bl; +@@ -796,9 +775,7 @@ bt_psplit(t, h, l, r, pskip, ilen) + * RET_SUCCESS, RET_ERROR. + */ + static int +-bt_preserve(t, pg) +- BTREE *t; +- db_pgno_t pg; ++bt_preserve(BTREE *t, db_pgno_t pg) + { + PAGE *h; + +@@ -824,8 +801,7 @@ bt_preserve(t, pg) + * all the way back to bt_split/bt_rroot and it's not very clean. + */ + static recno_t +-rec_total(h) +- PAGE *h; ++rec_total(PAGE *h) + { + recno_t recs; + indx_t nxt, top; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_utils.c b/src/plugins/kdb/db2/libdb2/btree/bt_utils.c +index be2f24f219..13d1f2c84f 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_utils.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_utils.c +@@ -64,11 +64,8 @@ static char sccsid[] = "@(#)bt_utils.c 8.8 (Berkeley) 7/20/94"; + * RET_SUCCESS, RET_ERROR. + */ + int +-__bt_ret(t, e, key, rkey, data, rdata, copy) +- BTREE *t; +- EPG *e; +- DBT *key, *rkey, *data, *rdata; +- int copy; ++__bt_ret(BTREE *t, EPG *e, DBT *key, DBT *rkey, DBT *data, DBT *rdata, ++ int copy) + { + BLEAF *bl; + void *p; +@@ -150,10 +147,7 @@ dataonly: + * > 0 if k1 is > record + */ + int +-__bt_cmp(t, k1, e) +- BTREE *t; +- const DBT *k1; +- EPG *e; ++__bt_cmp(BTREE *t, const DBT *k1, EPG *e) + { + BINTERNAL *bi; + BLEAF *bl; +@@ -213,8 +207,7 @@ __bt_cmp(t, k1, e) + * > 0 if a is > b + */ + int +-__bt_defcmp(a, b) +- const DBT *a, *b; ++__bt_defcmp(const DBT *a, const DBT *b) + { + size_t len; + u_char *p1, *p2; +@@ -243,8 +236,7 @@ __bt_defcmp(a, b) + * Number of bytes needed to distinguish b from a. + */ + size_t +-__bt_defpfx(a, b) +- const DBT *a, *b; ++__bt_defpfx(const DBT *a, const DBT *b) + { + u_char *p1, *p2; + size_t cnt, len; +diff --git a/src/plugins/kdb/db2/libdb2/db/db.c b/src/plugins/kdb/db2/libdb2/db/db.c +index fba7795342..f85484f077 100644 +--- a/src/plugins/kdb/db2/libdb2/db/db.c ++++ b/src/plugins/kdb/db2/libdb2/db/db.c +@@ -45,11 +45,8 @@ static char sccsid[] = "@(#)db.c 8.4 (Berkeley) 2/21/94"; + #include "db-int.h" + + DB * +-kdb2_dbopen(fname, flags, mode, type, openinfo) +- const char *fname; +- int flags, mode; +- DBTYPE type; +- const void *openinfo; ++kdb2_dbopen(const char *fname, int flags, int mode, DBTYPE type, ++ const void *openinfo) + { + + #define DB_FLAGS (DB_LOCK | DB_SHMEM | DB_TXN) +@@ -74,7 +71,7 @@ kdb2_dbopen(fname, flags, mode, type, openinfo) + } + + static int +-__dberr() ++__dberr(void) + { + return (RET_ERROR); + } +@@ -86,14 +83,15 @@ __dberr() + * dbp: pointer to the DB structure. + */ + void +-__dbpanic(dbp) +- DB *dbp; ++__dbpanic(DB *dbp) + { + /* The only thing that can succeed is a close. */ +- dbp->del = (int (*)())__dberr; +- dbp->fd = (int (*)())__dberr; +- dbp->get = (int (*)())__dberr; +- dbp->put = (int (*)())__dberr; +- dbp->seq = (int (*)())__dberr; +- dbp->sync = (int (*)())__dberr; ++ dbp->del = (int (*)(const struct __db *, const DBT *, u_int))__dberr; ++ dbp->fd = (int (*)(const struct __db *))__dberr; ++ dbp->get = (int (*)(const struct __db *, const DBT *, DBT *, ++ u_int))__dberr; ++ dbp->put = (int (*)(const struct __db *, DBT *, const DBT *, ++ u_int))__dberr; ++ dbp->seq = (int (*)(const struct __db *, DBT *, DBT *, u_int))__dberr; ++ dbp->sync = (int (*)(const struct __db *, u_int))__dberr; + } +diff --git a/src/plugins/kdb/db2/libdb2/hash/dbm.c b/src/plugins/kdb/db2/libdb2/hash/dbm.c +index 4878cbc0b6..2dca256dc3 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/dbm.c ++++ b/src/plugins/kdb/db2/libdb2/hash/dbm.c +@@ -69,8 +69,7 @@ static DBM *__cur_db; + static void no_open_db __P((void)); + + int +-kdb2_dbminit(file) +- char *file; ++kdb2_dbminit(char *file) + { + if (__cur_db != NULL) + (void)kdb2_dbm_close(__cur_db); +@@ -82,8 +81,7 @@ kdb2_dbminit(file) + } + + datum +-kdb2_fetch(key) +- datum key; ++kdb2_fetch(datum key) + { + datum item; + +@@ -111,8 +109,7 @@ kdb2_firstkey() + } + + datum +-kdb2_nextkey(key) +- datum key; ++kdb2_nextkey(datum key) + { + datum item; + +@@ -126,8 +123,7 @@ kdb2_nextkey(key) + } + + int +-kdb2_delete(key) +- datum key; ++kdb2_delete(datum key) + { + if (__cur_db == NULL) { + no_open_db(); +@@ -137,8 +133,7 @@ kdb2_delete(key) + } + + int +-kdb2_store(key, dat) +- datum key, dat; ++kdb2_store(datum key, datum dat) + { + if (__cur_db == NULL) { + no_open_db(); +@@ -159,9 +154,7 @@ no_open_db() + * NULL on failure + */ + DBM * +-kdb2_dbm_open(file, flags, mode) +- const char *file; +- int flags, mode; ++kdb2_dbm_open(const char *file, int flags, int mode) + { + HASHINFO info; + char path[MAXPATHLEN]; +@@ -183,8 +176,7 @@ kdb2_dbm_open(file, flags, mode) + * Nothing. + */ + void +-kdb2_dbm_close(db) +- DBM *db; ++kdb2_dbm_close(DBM *db) + { + (void)(db->close)(db); + } +@@ -195,9 +187,7 @@ kdb2_dbm_close(db) + * NULL on failure + */ + datum +-kdb2_dbm_fetch(db, key) +- DBM *db; +- datum key; ++kdb2_dbm_fetch(DBM *db, datum key) + { + datum retval; + int status; +@@ -226,8 +216,7 @@ kdb2_dbm_fetch(db, key) + * NULL on failure + */ + datum +-kdb2_dbm_firstkey(db) +- DBM *db; ++kdb2_dbm_firstkey(DBM *db) + { + int status; + datum retkey; +@@ -254,8 +243,7 @@ kdb2_dbm_firstkey(db) + * NULL on failure + */ + datum +-kdb2_dbm_nextkey(db) +- DBM *db; ++kdb2_dbm_nextkey(DBM *db) + { + int status; + datum retkey; +@@ -282,9 +270,7 @@ kdb2_dbm_nextkey(db) + * <0 failure + */ + int +-kdb2_dbm_delete(db, key) +- DBM *db; +- datum key; ++kdb2_dbm_delete(DBM *db, datum key) + { + int status; + +@@ -310,10 +296,7 @@ kdb2_dbm_delete(db, key) + * 1 if DBM_INSERT and entry exists + */ + int +-kdb2_dbm_store(db, key, content, flags) +- DBM *db; +- datum key, content; +- int flags; ++kdb2_dbm_store(DBM *db, datum key, datum content, int flags) + { + #ifdef NEED_COPY + DBT k, c; +@@ -331,8 +314,7 @@ kdb2_dbm_store(db, key, content, flags) + } + + int +-kdb2_dbm_error(db) +- DBM *db; ++kdb2_dbm_error(DBM *db) + { + HTAB *hp; + +@@ -341,8 +323,7 @@ kdb2_dbm_error(db) + } + + int +-kdb2_dbm_clearerr(db) +- DBM *db; ++kdb2_dbm_clearerr(DBM *db) + { + HTAB *hp; + +@@ -352,8 +333,7 @@ kdb2_dbm_clearerr(db) + } + + int +-kdb2_dbm_dirfno(db) +- DBM *db; ++kdb2_dbm_dirfno(DBM *db) + { + return(((HTAB *)db->internal)->fp); + } +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c +index 686a960c96..9528b62538 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -95,10 +95,8 @@ u_int32_t hash_accesses, hash_collisions, hash_expansions, hash_overflows, + /* OPEN/CLOSE */ + + extern DB * +-__kdb2_hash_open(file, flags, mode, info, dflags) +- const char *file; +- int flags, mode, dflags; +- const HASHINFO *info; /* Special directives for create */ ++__kdb2_hash_open(const char *file, int flags, int mode, const HASHINFO *info, ++ int dflags) + { + struct stat statbuf; + DB *dbp; +@@ -261,8 +259,7 @@ error0: + } + + static int32_t +-hash_close(dbp) +- DB *dbp; ++hash_close(DB *dbp) + { + HTAB *hashp; + int32_t retval; +@@ -277,8 +274,7 @@ hash_close(dbp) + } + + static int32_t +-hash_fd(dbp) +- const DB *dbp; ++hash_fd(const DB *dbp) + { + HTAB *hashp; + +@@ -295,10 +291,7 @@ hash_fd(dbp) + + /************************** LOCAL CREATION ROUTINES **********************/ + static HTAB * +-init_hash(hashp, file, info) +- HTAB *hashp; +- const char *file; +- const HASHINFO *info; ++init_hash(HTAB *hashp, const char *file, const HASHINFO *info) + { + struct stat statbuf; + +@@ -350,9 +343,7 @@ init_hash(hashp, file, info) + * Returns 0 on No Error + */ + static int32_t +-init_htab(hashp, nelem) +- HTAB *hashp; +- int32_t nelem; ++init_htab(HTAB *hashp, int32_t nelem) + { + int32_t l2, nbuckets; + +@@ -404,9 +395,7 @@ init_htab(hashp, nelem) + * Functions to get/put hash header. We access the file directly. + */ + static u_int32_t +-hget_header(hashp, page_size) +- HTAB *hashp; +- u_int32_t page_size; ++hget_header(HTAB *hashp, u_int32_t page_size) + { + u_int32_t num_copied; + u_int8_t *hdr_dest; +@@ -432,8 +421,7 @@ hget_header(hashp, page_size) + } + + static void +-hput_header(hashp) +- HTAB *hashp; ++hput_header(HTAB *hashp) + { + HASHHDR *whdrp; + #if DB_BYTE_ORDER == DB_LITTLE_ENDIAN +@@ -463,8 +451,7 @@ hput_header(hashp) + * structure, freeing all allocated space. + */ + static int32_t +-hdestroy(hashp) +- HTAB *hashp; ++hdestroy(HTAB *hashp) + { + int32_t save_errno; + +@@ -550,9 +537,7 @@ hdestroy(hashp) + * -1 ERROR + */ + static int32_t +-hash_sync(dbp, flags) +- const DB *dbp; +- u_int32_t flags; ++hash_sync(const DB *dbp, u_int32_t flags) + { + HTAB *hashp; + +@@ -571,8 +556,7 @@ hash_sync(dbp, flags) + * -1 indicates that errno should be set + */ + static int32_t +-flush_meta(hashp) +- HTAB *hashp; ++flush_meta(HTAB *hashp) + { + int32_t i; + +@@ -608,11 +592,7 @@ flush_meta(hashp) + /* *** make sure this is true! */ + + static int32_t +-hash_get(dbp, key, data, flag) +- const DB *dbp; +- const DBT *key; +- DBT *data; +- u_int32_t flag; ++hash_get(const DB *dbp, const DBT *key, DBT *data, u_int32_t flag) + { + HTAB *hashp; + +@@ -625,11 +605,7 @@ hash_get(dbp, key, data, flag) + } + + static int32_t +-hash_put(dbp, key, data, flag) +- const DB *dbp; +- DBT *key; +- const DBT *data; +- u_int32_t flag; ++hash_put(const DB *dbp, DBT *key, const DBT *data, u_int32_t flag) + { + HTAB *hashp; + +@@ -647,10 +623,7 @@ hash_put(dbp, key, data, flag) + } + + static int32_t +-hash_delete(dbp, key, flag) +- const DB *dbp; +- const DBT *key; +- u_int32_t flag; /* Ignored */ ++hash_delete(const DB *dbp, const DBT *key, u_int32_t flag) + { + HTAB *hashp; + +@@ -671,11 +644,7 @@ hash_delete(dbp, key, flag) + * Assume that hashp has been set in wrapper routine. + */ + static int32_t +-hash_access(hashp, action, key, val) +- HTAB *hashp; +- ACTION action; +- const DBT *key; +- DBT *val; ++hash_access(HTAB *hashp, ACTION action, const DBT *key, DBT *val) + { + DBT page_key, page_val; + CURSOR cursor; +@@ -792,8 +761,7 @@ found: __get_item_done(hashp, &cursor); + + /* ****************** CURSORS ********************************** */ + CURSOR * +-__cursor_creat(dbp) +- const DB *dbp; ++__cursor_creat(const DB *dbp) + { + CURSOR *new_curs; + HTAB *hashp; +@@ -824,11 +792,7 @@ __cursor_creat(dbp) + } + + static int32_t +-cursor_get(dbp, cursorp, key, val, flags) +- const DB *dbp; +- CURSOR *cursorp; +- DBT *key, *val; +- u_int32_t flags; ++cursor_get(const DB *dbp, CURSOR *cursorp, DBT *key, DBT *val, u_int32_t flags) + { + HTAB *hashp; + ITEM_INFO item_info; +@@ -897,10 +861,7 @@ cursor_get(dbp, cursorp, key, val, flags) + } + + static int32_t +-cursor_delete(dbp, cursor, flags) +- const DB *dbp; +- CURSOR *cursor; +- u_int32_t flags; ++cursor_delete(const DB *dbp, CURSOR *cursor, u_int32_t flags) + { + /* XXX this is empirically determined, so it might not be completely + correct, but it seems to work. At the very least it fixes +@@ -913,10 +874,7 @@ cursor_delete(dbp, cursor, flags) + } + + static int32_t +-hash_seq(dbp, key, val, flag) +- const DB *dbp; +- DBT *key, *val; +- u_int32_t flag; ++hash_seq(const DB *dbp, DBT *key, DBT *val, u_int32_t flag) + { + HTAB *hashp; + +@@ -940,8 +898,7 @@ hash_seq(dbp, key, val, flag) + * -1 ==> Error + */ + int32_t +-__expand_table(hashp) +- HTAB *hashp; ++__expand_table(HTAB *hashp) + { + u_int32_t old_bucket, new_bucket; + int32_t spare_ndx; +@@ -980,10 +937,7 @@ __expand_table(hashp) + } + + u_int32_t +-__call_hash(hashp, k, len) +- HTAB *hashp; +- int8_t *k; +- int32_t len; ++__call_hash(HTAB *hashp, int8_t *k, int32_t len) + { + u_int32_t n, bucket; + +@@ -999,8 +953,7 @@ __call_hash(hashp, k, len) + * Hashp->hdr needs to be byteswapped. + */ + static void +-swap_header_copy(srcp, destp) +- HASHHDR *srcp, *destp; ++swap_header_copy(HASHHDR *srcp, HASHHDR *destp) + { + int32_t i; + +@@ -1025,8 +978,7 @@ swap_header_copy(srcp, destp) + } + + static void +-swap_header(hashp) +- HTAB *hashp; ++swap_header(HTAB *hashp) + { + HASHHDR *hdrp; + int32_t i; +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash_bigkey.c b/src/plugins/kdb/db2/libdb2/hash/hash_bigkey.c +index 4b95278f53..6befb7a57e 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash_bigkey.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash_bigkey.c +@@ -83,10 +83,7 @@ static int32_t collect_data __P((HTAB *, PAGE16 *, int32_t)); + * -1 ==> ERROR + */ + int32_t +-__big_insert(hashp, pagep, key, val) +- HTAB *hashp; +- PAGE16 *pagep; +- const DBT *key, *val; ++__big_insert(HTAB *hashp, PAGE16 *pagep, const DBT *key, const DBT *val) + { + size_t key_size, val_size; + indx_t key_move_bytes, val_move_bytes; +@@ -185,11 +182,7 @@ __big_delete(hashp, pagep, ndx) + * -1 error + */ + int32_t +-__find_bigpair(hashp, cursorp, key, size) +- HTAB *hashp; +- CURSOR *cursorp; +- int8_t *key; +- int32_t size; ++__find_bigpair(HTAB *hashp, CURSOR *cursorp, int8_t *key, int32_t size) + { + PAGE16 *pagep, *hold_pagep; + db_pgno_t next_pgno; +@@ -257,11 +250,7 @@ __find_bigpair(hashp, cursorp, key, size) + * Fill in the key and data for this big pair. + */ + int32_t +-__big_keydata(hashp, pagep, key, val, ndx) +- HTAB *hashp; +- PAGE16 *pagep; +- DBT *key, *val; +- int32_t ndx; ++__big_keydata(HTAB *hashp, PAGE16 *pagep, DBT *key, DBT *val, int32_t ndx) + { + ITEM_INFO ii; + PAGE16 *key_pagep; +@@ -315,11 +304,8 @@ __get_bigkey(hashp, pagep, ndx, key) + * Return the big key and data indicated in item_info. + */ + int32_t +-__big_return(hashp, item_info, val, on_bigkey_page) +- HTAB *hashp; +- ITEM_INFO *item_info; +- DBT *val; +- int32_t on_bigkey_page; ++__big_return(HTAB *hashp, ITEM_INFO *item_info, DBT *val, ++ int32_t on_bigkey_page) + { + PAGE16 *pagep; + db_pgno_t next_pgno; +@@ -366,11 +352,7 @@ __big_return(hashp, item_info, val, on_bigkey_page) + * Return total length of data; -1 if error. + */ + static int32_t +-collect_key(hashp, pagep, len, last_page) +- HTAB *hashp; +- PAGE16 *pagep; +- int32_t len; +- db_pgno_t *last_page; ++collect_key(HTAB *hashp, PAGE16 *pagep, int32_t len, db_pgno_t *last_page) + { + PAGE16 *next_pagep; + int32_t totlen, retval; +@@ -434,10 +416,7 @@ collect_key(hashp, pagep, len, last_page) + * Return total length of data; -1 if error. + */ + static int32_t +-collect_data(hashp, pagep, len) +- HTAB *hashp; +- PAGE16 *pagep; +- int32_t len; ++collect_data(HTAB *hashp, PAGE16 *pagep, int32_t len) + { + PAGE16 *next_pagep; + int32_t totlen, retval; +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash_func.c b/src/plugins/kdb/db2/libdb2/hash/hash_func.c +index 1dee694608..f169be685e 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash_func.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash_func.c +@@ -66,9 +66,7 @@ u_int32_t (*__default_hash) __P((const void *, size_t)) = hash4; + + #if 0 + static u_int32_t +-hash1(key, len) +- const void *key; +- size_t len; ++hash1(const void *key, size_t len) + { + u_int32_t h; + u_int8_t *k; +@@ -88,9 +86,7 @@ hash1(key, len) + #define dcharhash(h, c) ((h) = 0x63c63cd9*(h) + 0x9c39c33d + (c)) + + static u_int32_t +-hash2(key, len) +- const void *key; +- size_t len; ++hash2(const void *key, size_t len) + { + u_int32_t h; + u_int8_t *e, c, *k; +@@ -116,9 +112,7 @@ hash2(key, len) + * Ozan Yigit's original sdbm hash. + */ + static u_int32_t +-hash3(key, len) +- const void *key; +- size_t len; ++hash3(const void *key, size_t len) + { + u_int32_t n, loop; + u_int8_t *k; +@@ -159,9 +153,7 @@ hash3(key, len) + + /* Chris Torek's hash function. */ + static u_int32_t +-hash4(key, len) +- const void *key; +- size_t len; ++hash4(const void *key, size_t len) + { + u_int32_t h, loop; + const u_int8_t *k; +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash_log2.c b/src/plugins/kdb/db2/libdb2/hash/hash_log2.c +index 8c710e5d21..7fdfd854d2 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash_log2.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash_log2.c +@@ -44,8 +44,7 @@ static char sccsid[] = "@(#)hash_log2.c 8.4 (Berkeley) 11/7/95"; + #include "extern.h" + + u_int32_t +-__kdb2_log2(num) +- u_int32_t num; ++__kdb2_log2(u_int32_t num) + { + u_int32_t i, limit; + +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash_page.c b/src/plugins/kdb/db2/libdb2/hash/hash_page.c +index 0da357108a..dba29e0cb5 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash_page.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash_page.c +@@ -84,11 +84,8 @@ static void account_page(HTAB *, db_pgno_t, int); + #endif + + u_int32_t +-__get_item(hashp, cursorp, key, val, item_info) +- HTAB *hashp; +- CURSOR *cursorp; +- DBT *key, *val; +- ITEM_INFO *item_info; ++__get_item(HTAB *hashp, CURSOR *cursorp, DBT *key, DBT *val, ++ ITEM_INFO *item_info) + { + db_pgno_t next_pgno; + int32_t i; +@@ -159,9 +156,7 @@ __get_item(hashp, cursorp, key, val, item_info) + } + + u_int32_t +-__get_item_reset(hashp, cursorp) +- HTAB *hashp; +- CURSOR *cursorp; ++__get_item_reset(HTAB *hashp, CURSOR *cursorp) + { + if (cursorp->pagep) + __put_page(hashp, cursorp->pagep, A_RAW, 0); +@@ -174,9 +169,7 @@ __get_item_reset(hashp, cursorp) + } + + u_int32_t +-__get_item_done(hashp, cursorp) +- HTAB *hashp; +- CURSOR *cursorp; ++__get_item_done(HTAB *hashp, CURSOR *cursorp) + { + if (cursorp->pagep) + __put_page(hashp, cursorp->pagep, A_RAW, 0); +@@ -190,11 +183,8 @@ __get_item_done(hashp, cursorp) + } + + u_int32_t +-__get_item_first(hashp, cursorp, key, val, item_info) +- HTAB *hashp; +- CURSOR *cursorp; +- DBT *key, *val; +- ITEM_INFO *item_info; ++__get_item_first(HTAB *hashp, CURSOR *cursorp, DBT *key, DBT *val, ++ ITEM_INFO *item_info) + { + __get_item_reset(hashp, cursorp); + cursorp->bucket = 0; +@@ -206,11 +196,8 @@ __get_item_first(hashp, cursorp, key, val, item_info) + * just returns the page number and index of the bigkey pointer pair. + */ + u_int32_t +-__get_item_next(hashp, cursorp, key, val, item_info) +- HTAB *hashp; +- CURSOR *cursorp; +- DBT *key, *val; +- ITEM_INFO *item_info; ++__get_item_next(HTAB *hashp, CURSOR *cursorp, DBT *key, DBT *val, ++ ITEM_INFO *item_info) + { + int status; + +@@ -224,9 +211,7 @@ __get_item_next(hashp, cursorp, key, val, item_info) + * Put a non-big pair on a page. + */ + static void +-putpair(p, key, val) +- PAGE8 *p; +- const DBT *key, *val; ++putpair(PAGE8 *p, const DBT *key, const DBT *val) + { + u_int16_t *pagep, n, off; + +@@ -275,10 +260,7 @@ prev_realkey(pagep, n) + * -1 error + */ + extern int32_t +-__delpair(hashp, cursorp, item_info) +- HTAB *hashp; +- CURSOR *cursorp; +- ITEM_INFO *item_info; ++__delpair(HTAB *hashp, CURSOR *cursorp, ITEM_INFO *item_info) + { + PAGE16 *pagep; + indx_t ndx; +@@ -412,9 +394,7 @@ __delpair(hashp, cursorp, item_info) + } + + extern int32_t +-__split_page(hashp, obucket, nbucket) +- HTAB *hashp; +- u_int32_t obucket, nbucket; ++__split_page(HTAB *hashp, u_int32_t obucket, u_int32_t nbucket) + { + DBT key, val; + ITEM_INFO old_ii, new_ii; +@@ -661,9 +641,7 @@ add_bigptr(hashp, item_info, big_pgno) + * NULL on error + */ + extern PAGE16 * +-__add_ovflpage(hashp, pagep) +- HTAB *hashp; +- PAGE16 *pagep; ++__add_ovflpage(HTAB *hashp, PAGE16 *pagep) + { + PAGE16 *new_pagep; + u_int16_t ovfl_num; +@@ -768,10 +746,7 @@ page_init(hashp, pagep, pgno, type) + } + + int32_t +-__new_page(hashp, addr, addr_type) +- HTAB *hashp; +- u_int32_t addr; +- int32_t addr_type; ++__new_page(HTAB *hashp, u_int32_t addr, int32_t addr_type) + { + db_pgno_t paddr; + PAGE16 *pagep; +@@ -804,10 +779,7 @@ __new_page(hashp, addr, addr_type) + } + + int32_t +-__delete_page(hashp, pagep, page_type) +- HTAB *hashp; +- PAGE16 *pagep; +- int32_t page_type; ++__delete_page(HTAB *hashp, PAGE16 *pagep, int32_t page_type) + { + if (page_type == A_OVFL) + __free_ovflpage(hashp, pagep); +@@ -815,9 +787,7 @@ __delete_page(hashp, pagep, page_type) + } + + static u_int8_t +-is_bitmap_pgno(hashp, pgno) +- HTAB *hashp; +- db_pgno_t pgno; ++is_bitmap_pgno(HTAB *hashp, db_pgno_t pgno) + { + int32_t i; + +@@ -828,10 +798,7 @@ is_bitmap_pgno(hashp, pgno) + } + + void +-__pgin_routine(pg_cookie, pgno, page) +- void *pg_cookie; +- db_pgno_t pgno; +- void *page; ++__pgin_routine(void *pg_cookie, db_pgno_t pgno, void *page) + { + HTAB *hashp; + PAGE16 *pagep; +@@ -868,10 +835,7 @@ __pgin_routine(pg_cookie, pgno, page) + } + + void +-__pgout_routine(pg_cookie, pgno, page) +- void *pg_cookie; +- db_pgno_t pgno; +- void *page; ++__pgout_routine(void *pg_cookie, db_pgno_t pgno, void *page) + { + HTAB *hashp; + PAGE16 *pagep; +@@ -905,10 +869,7 @@ __pgout_routine(pg_cookie, pgno, page) + * -1 ==>failure + */ + extern int32_t +-__put_page(hashp, pagep, addr_type, is_dirty) +- HTAB *hashp; +- PAGE16 *pagep; +- int32_t addr_type, is_dirty; ++__put_page(HTAB *hashp, PAGE16 *pagep, int32_t addr_type, int32_t is_dirty) + { + #if DEBUG_SLOW + account_page(hashp, +@@ -924,10 +885,7 @@ __put_page(hashp, pagep, addr_type, is_dirty) + * -1 indicates FAILURE + */ + extern PAGE16 * +-__get_page(hashp, addr, addr_type) +- HTAB *hashp; +- u_int32_t addr; +- int32_t addr_type; ++__get_page(HTAB *hashp, u_int32_t addr, int32_t addr_type) + { + PAGE16 *pagep; + db_pgno_t paddr; +@@ -958,8 +916,7 @@ __get_page(hashp, addr, addr_type) + } + + static void +-swap_page_header_in(pagep) +- PAGE16 *pagep; ++swap_page_header_in(PAGE16 *pagep) + { + u_int32_t i; + +@@ -977,8 +934,7 @@ swap_page_header_in(pagep) + } + + static void +-swap_page_header_out(pagep) +- PAGE16 *pagep; ++swap_page_header_out(PAGE16 *pagep) + { + u_int32_t i; + +@@ -1001,9 +957,7 @@ swap_page_header_out(pagep) + * once they are read in. + */ + extern int32_t +-__ibitmap(hashp, pnum, nbits, ndx) +- HTAB *hashp; +- int32_t pnum, nbits, ndx; ++__ibitmap(HTAB *hashp, int32_t pnum, int32_t nbits, int32_t ndx) + { + u_int32_t *ip; + int32_t clearbytes, clearints; +@@ -1027,8 +981,7 @@ __ibitmap(hashp, pnum, nbits, ndx) + } + + static u_int32_t +-first_free(map) +- u_int32_t map; ++first_free(u_int32_t map) + { + u_int32_t i, mask; + +@@ -1044,8 +997,7 @@ first_free(map) + * returns 0 on error + */ + static u_int16_t +-overflow_page(hashp) +- HTAB *hashp; ++overflow_page(HTAB *hashp) + { + u_int32_t *freep; + u_int32_t bit, first_page, free_bit, free_page, i, in_use_bits, j; +@@ -1206,9 +1158,7 @@ found: + + #ifdef DEBUG + int +-bucket_to_page(hashp, n) +- HTAB *hashp; +- int n; ++bucket_to_page(HTAB *hashp, int n) + { + int ret_val; + +@@ -1219,9 +1169,7 @@ bucket_to_page(hashp, n) + } + + int32_t +-oaddr_to_page(hashp, n) +- HTAB *hashp; +- int n; ++oaddr_to_page(HTAB *hashp, int n) + { + int ret_val, temp; + +@@ -1234,9 +1182,7 @@ oaddr_to_page(hashp, n) + #endif /* DEBUG */ + + static indx_t +-page_to_oaddr(hashp, pgno) +- HTAB *hashp; +- db_pgno_t pgno; ++page_to_oaddr(HTAB *hashp, db_pgno_t pgno) + { + int32_t sp, ret_val; + +@@ -1268,9 +1214,7 @@ page_to_oaddr(hashp, pgno) + * Mark this overflow page as free. + */ + extern void +-__free_ovflpage(hashp, pagep) +- HTAB *hashp; +- PAGE16 *pagep; ++__free_ovflpage(HTAB *hashp, PAGE16 *pagep) + { + u_int32_t *freep; + u_int32_t bit_address, free_page, free_bit; +@@ -1307,9 +1251,7 @@ __free_ovflpage(hashp, pagep) + } + + static u_int32_t * +-fetch_bitmap(hashp, ndx) +- HTAB *hashp; +- int32_t ndx; ++fetch_bitmap(HTAB *hashp, int32_t ndx) + { + if (ndx >= hashp->nmaps) + return (NULL); +@@ -1322,10 +1264,7 @@ fetch_bitmap(hashp, ndx) + + #ifdef DEBUG_SLOW + static void +-account_page(hashp, pgno, inout) +- HTAB *hashp; +- db_pgno_t pgno; +- int inout; ++account_page(HTAB *hashp, db_pgno_t pgno, int inout) + { + static struct { + db_pgno_t pgno; +diff --git a/src/plugins/kdb/db2/libdb2/hash/hsearch.c b/src/plugins/kdb/db2/libdb2/hash/hsearch.c +index 02ff7ef843..ffcdfcf294 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hsearch.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hsearch.c +@@ -50,8 +50,7 @@ static DB *dbp = NULL; + static ENTRY retval; + + extern int +-hcreate(nel) +- u_int nel; ++hcreate(u_int nel) + { + HASHINFO info; + +@@ -66,9 +65,7 @@ hcreate(nel) + } + + extern ENTRY * +-hsearch(item, action) +- ENTRY item; +- ACTION action; ++hsearch(ENTRY item, ACTION action) + { + DBT key, val; + int status; +@@ -98,7 +95,7 @@ hsearch(item, action) + } + + extern void +-hdestroy() ++hdestroy(void) + { + if (dbp) { + (void)(dbp->close)(dbp); +diff --git a/src/plugins/kdb/db2/libdb2/mpool/mpool.c b/src/plugins/kdb/db2/libdb2/mpool/mpool.c +index 0fcfd4ac2b..028fb180ca 100644 +--- a/src/plugins/kdb/db2/libdb2/mpool/mpool.c ++++ b/src/plugins/kdb/db2/libdb2/mpool/mpool.c +@@ -56,10 +56,7 @@ static int mpool_write __P((MPOOL *, BKT *)); + * Initialize a memory pool. + */ + MPOOL * +-mpool_open(key, fd, pagesize, maxcache) +- void *key; +- int fd; +- db_pgno_t pagesize, maxcache; ++mpool_open(void *key, int fd, db_pgno_t pagesize, db_pgno_t maxcache) + { + struct stat sb; + MPOOL *mp; +@@ -96,11 +93,8 @@ mpool_open(key, fd, pagesize, maxcache) + * Initialize input/output filters. + */ + void +-mpool_filter(mp, pgin, pgout, pgcookie) +- MPOOL *mp; +- void (*pgin) __P((void *, db_pgno_t, void *)); +- void (*pgout) __P((void *, db_pgno_t, void *)); +- void *pgcookie; ++mpool_filter(MPOOL *mp, void (*pgin) __P((void *, db_pgno_t, void *)), ++ void (*pgout) __P((void *, db_pgno_t, void *)), void *pgcookie) + { + mp->pgin = pgin; + mp->pgout = pgout; +@@ -112,10 +106,7 @@ mpool_filter(mp, pgin, pgout, pgcookie) + * Get a new page of memory. + */ + void * +-mpool_new(mp, pgnoaddr, flags) +- MPOOL *mp; +- db_pgno_t *pgnoaddr; +- u_int flags; ++mpool_new(MPOOL *mp, db_pgno_t *pgnoaddr, u_int flags) + { + struct _hqh *head; + BKT *bp; +@@ -149,9 +140,7 @@ mpool_new(mp, pgnoaddr, flags) + } + + int +-mpool_delete(mp, page) +- MPOOL *mp; +- void *page; ++mpool_delete(MPOOL *mp, void *page) + { + struct _hqh *head; + BKT *bp; +@@ -180,10 +169,7 @@ mpool_delete(mp, page) + * Get a page. + */ + void * +-mpool_get(mp, pgno, flags) +- MPOOL *mp; +- db_pgno_t pgno; +- u_int flags; /* XXX not used? */ ++mpool_get(MPOOL *mp, db_pgno_t pgno, u_int flags) + { + struct _hqh *head; + BKT *bp; +@@ -278,10 +264,7 @@ mpool_get(mp, pgno, flags) + * Return a page. + */ + int +-mpool_put(mp, page, flags) +- MPOOL *mp; +- void *page; +- u_int flags; ++mpool_put(MPOOL *mp, void *page, u_int flags) + { + BKT *bp; + +@@ -307,8 +290,7 @@ mpool_put(mp, page, flags) + * Close the buffer pool. + */ + int +-mpool_close(mp) +- MPOOL *mp; ++mpool_close(MPOOL *mp) + { + BKT *bp; + +@@ -328,8 +310,7 @@ mpool_close(mp) + * Sync the pool to disk. + */ + int +-mpool_sync(mp) +- MPOOL *mp; ++mpool_sync(MPOOL *mp) + { + BKT *bp; + +@@ -348,8 +329,7 @@ mpool_sync(mp) + * Get a page from the cache (or create one). + */ + static BKT * +-mpool_bkt(mp) +- MPOOL *mp; ++mpool_bkt(MPOOL *mp) + { + struct _hqh *head; + BKT *bp; +@@ -407,9 +387,7 @@ new: if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL) + * Write a page to disk. + */ + static int +-mpool_write(mp, bp) +- MPOOL *mp; +- BKT *bp; ++mpool_write(MPOOL *mp, BKT *bp) + { + off_t off; + +@@ -451,9 +429,7 @@ mpool_write(mp, bp) + * Lookup a page in the cache. + */ + static BKT * +-mpool_look(mp, pgno) +- MPOOL *mp; +- db_pgno_t pgno; ++mpool_look(MPOOL *mp, db_pgno_t pgno) + { + struct _hqh *head; + BKT *bp; +@@ -478,8 +454,7 @@ mpool_look(mp, pgno) + * Print out cache statistics. + */ + void +-mpool_stat(mp) +- MPOOL *mp; ++mpool_stat(MPOOL *mp) + { + BKT *bp; + int cnt; +@@ -520,8 +495,7 @@ mpool_stat(mp) + } + #else + void +-mpool_stat(mp) +- MPOOL *mp; ++mpool_stat(MPOOL *mp) + { + } + #endif +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_close.c b/src/plugins/kdb/db2/libdb2/recno/rec_close.c +index 4ef4dd1bae..b858e5c909 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_close.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_close.c +@@ -59,8 +59,7 @@ static char sccsid[] = "@(#)rec_close.c 8.9 (Berkeley) 11/18/94"; + * RET_ERROR, RET_SUCCESS + */ + int +-__rec_close(dbp) +- DB *dbp; ++__rec_close(DB *dbp) + { + BTREE *t; + int status; +@@ -108,9 +107,7 @@ __rec_close(dbp) + * RET_SUCCESS, RET_ERROR. + */ + int +-__rec_sync(dbp, flags) +- const DB *dbp; +- u_int flags; ++__rec_sync(const DB *dbp, u_int flags) + { + struct iovec iov[2]; + BTREE *t; +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_delete.c b/src/plugins/kdb/db2/libdb2/recno/rec_delete.c +index b69c9ad742..7e574df28e 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_delete.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_delete.c +@@ -61,10 +61,7 @@ static int rec_rdelete __P((BTREE *, recno_t)); + * RET_ERROR, RET_SUCCESS and RET_SPECIAL if the key not found. + */ + int +-__rec_delete(dbp, key, flags) +- const DB *dbp; +- const DBT *key; +- u_int flags; ++__rec_delete(const DB *dbp, const DBT *key, u_int flags) + { + BTREE *t; + recno_t nrec; +@@ -117,9 +114,7 @@ einval: errno = EINVAL; + * RET_ERROR, RET_SUCCESS and RET_SPECIAL if the key not found. + */ + static int +-rec_rdelete(t, nrec) +- BTREE *t; +- recno_t nrec; ++rec_rdelete(BTREE *t, recno_t nrec) + { + EPG *e; + PAGE *h; +@@ -151,10 +146,7 @@ rec_rdelete(t, nrec) + * RET_SUCCESS, RET_ERROR. + */ + int +-__rec_dleaf(t, h, idx) +- BTREE *t; +- PAGE *h; +- u_int32_t idx; ++__rec_dleaf(BTREE *t, PAGE *h, u_int32_t idx) + { + RLEAF *rl; + indx_t *ip, cnt, offset; +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_get.c b/src/plugins/kdb/db2/libdb2/recno/rec_get.c +index 230b2d4f54..c89cb556fc 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_get.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_get.c +@@ -60,11 +60,7 @@ static char sccsid[] = "@(#)rec_get.c 8.9 (Berkeley) 8/18/94"; + * RET_ERROR, RET_SUCCESS and RET_SPECIAL if the key not found. + */ + int +-__rec_get(dbp, key, data, flags) +- const DB *dbp; +- const DBT *key; +- DBT *data; +- u_int flags; ++__rec_get(const DB *dbp, const DBT *key, DBT *data, u_int flags) + { + BTREE *t; + EPG *e; +@@ -119,9 +115,7 @@ __rec_get(dbp, key, data, flags) + * RET_ERROR, RET_SUCCESS + */ + int +-__rec_fpipe(t, top) +- BTREE *t; +- recno_t top; ++__rec_fpipe(BTREE *t, recno_t top) + { + DBT data; + recno_t nrec; +@@ -175,9 +169,7 @@ __rec_fpipe(t, top) + * RET_ERROR, RET_SUCCESS + */ + int +-__rec_vpipe(t, top) +- BTREE *t; +- recno_t top; ++__rec_vpipe(BTREE *t, recno_t top) + { + DBT data; + recno_t nrec; +@@ -232,9 +224,7 @@ __rec_vpipe(t, top) + * RET_ERROR, RET_SUCCESS + */ + int +-__rec_fmap(t, top) +- BTREE *t; +- recno_t top; ++__rec_fmap(BTREE *t, recno_t top) + { + DBT data; + recno_t nrec; +@@ -282,9 +272,7 @@ __rec_fmap(t, top) + * RET_ERROR, RET_SUCCESS + */ + int +-__rec_vmap(t, top) +- BTREE *t; +- recno_t top; ++__rec_vmap(BTREE *t, recno_t top) + { + DBT data; + u_char *sp, *ep; +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +index b0daa7c021..de3fc3f4d0 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -56,10 +56,8 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; + #include "recno.h" + + DB * +-__rec_open(fname, flags, mode, openinfo, dflags) +- const char *fname; +- int flags, mode, dflags; +- const RECNOINFO *openinfo; ++__rec_open(const char *fname, int flags, int mode, const RECNOINFO *openinfo, ++ int dflags) + { + BTREE *t; + BTREEINFO btopeninfo; +@@ -228,8 +226,7 @@ err: sverrno = errno; + } + + int +-__rec_fd(dbp) +- const DB *dbp; ++__rec_fd(const DB *dbp) + { + BTREE *t; + +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_put.c b/src/plugins/kdb/db2/libdb2/recno/rec_put.c +index c53c9578e5..8456f1dbf6 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_put.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_put.c +@@ -59,11 +59,7 @@ static char sccsid[] = "@(#)rec_put.c 8.7 (Berkeley) 8/18/94"; + * already in the tree and R_NOOVERWRITE specified. + */ + int +-__rec_put(dbp, key, data, flags) +- const DB *dbp; +- DBT *key; +- const DBT *data; +- u_int flags; ++__rec_put(const DB *dbp, DBT *key, const DBT *data, u_int flags) + { + BTREE *t; + DBT fdata, tdata; +@@ -187,11 +183,7 @@ einval: errno = EINVAL; + * RET_ERROR, RET_SUCCESS + */ + int +-__rec_iput(t, nrec, data, flags) +- BTREE *t; +- recno_t nrec; +- const DBT *data; +- u_int flags; ++__rec_iput(BTREE *t, recno_t nrec, const DBT *data, u_int flags) + { + DBT tdata; + EPG *e; +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_search.c b/src/plugins/kdb/db2/libdb2/recno/rec_search.c +index 244d79f36d..55e5ba879b 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_search.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_search.c +@@ -61,10 +61,7 @@ static char sccsid[] = "@(#)rec_search.c 8.4 (Berkeley) 7/14/94"; + * the bt_cur field of the tree. A pointer to the field is returned. + */ + EPG * +-__rec_search(t, recno, op) +- BTREE *t; +- recno_t recno; +- enum SRCHOP op; ++__rec_search(BTREE *t, recno_t recno, enum SRCHOP op) + { + indx_t idx; + PAGE *h; +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_seq.c b/src/plugins/kdb/db2/libdb2/recno/rec_seq.c +index 8af1378c34..cf48ea24d7 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_seq.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_seq.c +@@ -58,10 +58,7 @@ static char sccsid[] = "@(#)rec_seq.c 8.3 (Berkeley) 7/14/94"; + * RET_ERROR, RET_SUCCESS or RET_SPECIAL if there's no next key. + */ + int +-__rec_seq(dbp, key, data, flags) +- const DB *dbp; +- DBT *key, *data; +- u_int flags; ++__rec_seq(const DB *dbp, DBT *key, DBT *data, u_int flags) + { + BTREE *t; + EPG *e; +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_utils.c b/src/plugins/kdb/db2/libdb2/recno/rec_utils.c +index f757a724f5..2eaa39b4a3 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_utils.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_utils.c +@@ -59,11 +59,7 @@ static char sccsid[] = "@(#)rec_utils.c 8.6 (Berkeley) 7/16/94"; + * RET_SUCCESS, RET_ERROR. + */ + int +-__rec_ret(t, e, nrec, key, data) +- BTREE *t; +- EPG *e; +- recno_t nrec; +- DBT *key, *data; ++__rec_ret(BTREE *t, EPG *e, recno_t nrec, DBT *key, DBT *data) + { + RLEAF *rl; + void *p; +diff --git a/src/plugins/kdb/db2/libdb2/test/dbtest.c b/src/plugins/kdb/db2/libdb2/test/dbtest.c +index 5d76b1ddf9..04bf34b90d 100644 +--- a/src/plugins/kdb/db2/libdb2/test/dbtest.c ++++ b/src/plugins/kdb/db2/libdb2/test/dbtest.c +@@ -121,9 +121,7 @@ DB *XXdbp; /* Global for gdb. */ + u_long XXlineno; /* Fast breakpoint for gdb. */ + + int +-main(argc, argv) +- int argc; +- char *argv[]; ++main(int argc, char *argv[]) + { + extern int optind; + extern char *optarg; +@@ -380,8 +378,7 @@ lkey: switch (command) { + #define NOOVERWRITE "put failed, would overwrite key\n" + + void +-compare(db1, db2) +- DBT *db1, *db2; ++compare(DBT *db1, DBT *db2) + { + size_t len; + u_char *p1, *p2; +@@ -402,9 +399,7 @@ compare(db1, db2) + } + + void +-get(dbp, kp) +- DB *dbp; +- DBT *kp; ++get(DB *dbp, DBT *kp) + { + DBT data; + +@@ -437,9 +432,7 @@ get(dbp, kp) + } + + void +-getdata(dbp, kp, dp) +- DB *dbp; +- DBT *kp, *dp; ++getdata(DB *dbp, DBT *kp, DBT *dp) + { + switch (dbp->get(dbp, kp, dp, flags)) { + case 0: +@@ -454,9 +447,7 @@ getdata(dbp, kp, dp) + } + + void +-put(dbp, kp, dp) +- DB *dbp; +- DBT *kp, *dp; ++put(DB *dbp, DBT *kp, DBT *dp) + { + switch (dbp->put(dbp, kp, dp, flags)) { + case 0: +@@ -473,9 +464,7 @@ put(dbp, kp, dp) + } + + void +-rem(dbp, kp) +- DB *dbp; +- DBT *kp; ++rem(DB *dbp, DBT *kp) + { + switch (dbp->del(dbp, kp, flags)) { + case 0: +@@ -502,8 +491,7 @@ rem(dbp, kp) + } + + void +-synk(dbp) +- DB *dbp; ++synk(DB *dbp) + { + switch (dbp->sync(dbp, flags)) { + case 0: +@@ -515,9 +503,7 @@ synk(dbp) + } + + void +-seq(dbp, kp) +- DB *dbp; +- DBT *kp; ++seq(DB *dbp, DBT *kp) + { + DBT data; + +@@ -551,10 +537,7 @@ seq(dbp, kp) + } + + void +-dump(dbp, rev, recurse) +- DB *dbp; +- int rev; +- int recurse; ++dump(DB *dbp, int rev, int recurse) + { + DBT key, data; + int lflags, nflags; +@@ -588,8 +571,7 @@ done: return; + } + + void +-unlinkpg(dbp) +- DB *dbp; ++unlinkpg(DB *dbp) + { + BTREE *t = dbp->internal; + PAGE *h = NULL; +@@ -623,8 +605,7 @@ cleanup: + } + + u_int +-setflags(s) +- char *s; ++setflags(char *s) + { + char *p; + +@@ -648,8 +629,7 @@ setflags(s) + } + + char * +-sflags(lflags) +- int lflags; ++sflags(int lflags) + { + switch (lflags) { + case R_CURSOR: return ("R_CURSOR"); +@@ -667,8 +647,7 @@ sflags(lflags) + } + + DBTYPE +-dbtype(s) +- char *s; ++dbtype(char *s) + { + if (!strcmp(s, "btree")) + return (DB_BTREE); +@@ -681,9 +660,7 @@ dbtype(s) + } + + void * +-setinfo(db_type, s) +- DBTYPE db_type; +- char *s; ++setinfo(DBTYPE db_type, char *s) + { + static BTREEINFO ib; + static HASHINFO ih; +@@ -777,9 +754,7 @@ setinfo(db_type, s) + } + + void * +-rfile(name, lenp) +- char *name; +- size_t *lenp; ++rfile(char *name, size_t *lenp) + { + struct stat sb; + void *p; +@@ -806,9 +781,7 @@ rfile(name, lenp) + } + + void * +-xmalloc(text, len) +- char *text; +- size_t len; ++xmalloc(char *text, size_t len) + { + void *p; + +diff --git a/src/plugins/kdb/db2/pol_xdr.c b/src/plugins/kdb/db2/pol_xdr.c +index e8576337c8..448d4b0f51 100644 +--- a/src/plugins/kdb/db2/pol_xdr.c ++++ b/src/plugins/kdb/db2/pol_xdr.c +@@ -82,7 +82,7 @@ xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp) + if (!xdr_short(xdrs, &objp->n_tl_data)) + return (FALSE); + if (!xdr_nulltype(xdrs, (void **) &objp->tl_data, +- xdr_krb5_tl_data)) ++ (xdrproc_t)xdr_krb5_tl_data)) + return FALSE; + } + return (TRUE); +diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +index 0b56ba86a7..7ddea923a3 100644 +--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c ++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +@@ -186,8 +186,8 @@ static struct _cmd_table { + * The function cmd_lookup returns the structure matching the + * command name and returns NULL if nothing matches. + */ +-static struct _cmd_table *cmd_lookup(name) +- char *name; ++static struct _cmd_table * ++cmd_lookup(const char *name) + { + int i; + +diff --git a/src/plugins/kdb/lmdb/kdb_lmdb.c b/src/plugins/kdb/lmdb/kdb_lmdb.c +index bd288e2236..dbab7967c6 100644 +--- a/src/plugins/kdb/lmdb/kdb_lmdb.c ++++ b/src/plugins/kdb/lmdb/kdb_lmdb.c +@@ -468,13 +468,13 @@ error: + } + + static krb5_error_code +-klmdb_lib_init() ++klmdb_lib_init(void) + { + return 0; + } + + static krb5_error_code +-klmdb_lib_cleanup() ++klmdb_lib_cleanup(void) + { + return 0; + } +diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c +index f4d4380d5b..8d14091f38 100644 +--- a/src/plugins/kdb/test/kdb_test.c ++++ b/src/plugins/kdb/test/kdb_test.c +@@ -312,13 +312,13 @@ make_strings(char **stringattrs, krb5_db_entry *ent) + } + + static krb5_error_code +-test_init() ++test_init(void) + { + return 0; + } + + static krb5_error_code +-test_cleanup() ++test_cleanup(void) + { + return 0; + } +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 8cdc40bfb4..f5aade34cc 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -3471,7 +3471,7 @@ load_pkcs11_module(krb5_context context, const char *modname, + CK_RV (*getflist)(CK_FUNCTION_LIST_PTR_PTR); + struct errinfo einfo = EMPTY_ERRINFO; + const char *errmsg = NULL; +- void (*sym)(); ++ void (*sym)(void); + long err; + CK_RV rv; + +@@ -3490,7 +3490,7 @@ load_pkcs11_module(krb5_context context, const char *modname, + goto error; + } + +- getflist = (CK_RV (*)())sym; ++ getflist = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR))sym; + rv = (*getflist)(p11p); + if (rv != CKR_OK) { + TRACE_PKINIT_PKCS11_GETFLIST_FAILED(context, pkcs11err(rv)); +diff --git a/src/plugins/preauth/spake/t_vectors.c b/src/plugins/preauth/spake/t_vectors.c +index 96b0307d78..ecffd3d7ee 100644 +--- a/src/plugins/preauth/spake/t_vectors.c ++++ b/src/plugins/preauth/spake/t_vectors.c +@@ -439,7 +439,7 @@ run_test(const struct test *t) + } + + int +-main() ++main(void) + { + size_t i; + +diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c +index 926aa94706..2fa6dce8eb 100644 +--- a/src/tests/asn.1/krb5_decode_test.c ++++ b/src/tests/asn.1/krb5_decode_test.c +@@ -54,9 +54,8 @@ static void ktest_free_reply_key_pack(krb5_context context, + static void ktest_free_kkdcp_message(krb5_context context, + krb5_kkdcp_message *val); + +-int main(argc, argv) +- int argc; +- char **argv; ++int ++main(int argc, char **argv) + { + krb5_data code; + krb5_error_code retval; +diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c +index 26c064e67d..f4e754b1cc 100644 +--- a/src/tests/asn.1/krb5_encode_test.c ++++ b/src/tests/asn.1/krb5_encode_test.c +@@ -37,7 +37,7 @@ krb5_context test_context; + int error_count = 0; + int do_trval = 0; + int first_trval = 1; +-int trval2(); ++int trval2(FILE *, unsigned char *, int, int, int *); + + static void + encoder_print_results(krb5_data *code, char *typestring, char *description) +@@ -51,7 +51,7 @@ encoder_print_results(krb5_data *code, char *typestring, char *description) + else + printf("\n"); + printf("encode_krb5_%s%s:\n", typestring, description); +- r = trval2(stdout, code->data, code->length, 0, &rlen); ++ r = trval2(stdout, (uint8_t *)code->data, code->length, 0, &rlen); + printf("\n"); + if (rlen < 0 || (unsigned int) rlen != code->length) { + printf("Error: length mismatch: was %d, parsed %d\n", +@@ -72,9 +72,8 @@ encoder_print_results(krb5_data *code, char *typestring, char *description) + ktest_destroy_data(&code); + } + +-static void PRS(argc, argv) +- int argc; +- char **argv; ++static void ++PRS(int argc, char **argv) + { + extern char *optarg; + int optchar; +@@ -107,9 +106,7 @@ static void PRS(argc, argv) + } + + int +-main(argc, argv) +- int argc; +- char **argv; ++main(int argc, char **argv) + { + krb5_data *code; + krb5_error_code retval; +diff --git a/src/tests/asn.1/t_trval.c b/src/tests/asn.1/t_trval.c +index 57d8253880..009ed5bb9e 100644 +--- a/src/tests/asn.1/t_trval.c ++++ b/src/tests/asn.1/t_trval.c +@@ -36,7 +36,8 @@ + -DSTANDALONE code. */ + #include "trval.c" + +-static void usage() ++static void ++usage(void) + { + fprintf(stderr, "Usage: trval [--types] [--krb5] [--krb5decode] [--hex] [-notypebytes] [file]\n"); + exit(1); +@@ -46,10 +47,8 @@ static void usage() + * Returns true if the option was selected. Allow "-option" and + * "--option" syntax, since we used to accept only "-option" + */ +-static +-int check_option(word, option) +- char *word; +- char *option; ++static int ++check_option(char *word, char *option) + { + if (word[0] != '-') + return 0; +@@ -60,9 +59,8 @@ int check_option(word, option) + return 1; + } + +-int main(argc, argv) +- int argc; +- char **argv; ++int ++main(int argc, char **argv) + { + int optflg = 1; + FILE *fp; +diff --git a/src/tests/asn.1/trval.c b/src/tests/asn.1/trval.c +index c14bcdeb69..e0e58cc19e 100644 +--- a/src/tests/asn.1/trval.c ++++ b/src/tests/asn.1/trval.c +@@ -120,7 +120,8 @@ int trval2 (FILE *, unsigned char *, int, int, int *); + + /****************************************************************************/ + +-static int convert_nibble(int ch) ++static int ++convert_nibble(int ch) + { + if (isdigit(ch)) + return (ch - '0'); +@@ -131,9 +132,8 @@ static int convert_nibble(int ch) + return -1; + } + +-int trval(fin, fout) +- FILE *fin; +- FILE *fout; ++int ++trval(FILE *fin, FILE *fout) + { + unsigned char *p; + unsigned int maxlen; +@@ -169,12 +169,8 @@ int trval(fin, fout) + return(r); + } + +-int trval2(fp, enc, len, lev, rlen) +- FILE *fp; +- unsigned char *enc; +- int len; +- int lev; +- int *rlen; ++int ++trval2(FILE *fp, unsigned char *enc, int len, int lev, int *rlen) + { + int l, eid, elen, xlen, r, rlen2 = 0; + int rlen_ext = 0; +@@ -248,10 +244,8 @@ context_restart: + return(r); + } + +-int decode_len(fp, enc, len) +- FILE *fp; +- unsigned char *enc; +- int len; ++int ++decode_len(FILE *fp, unsigned char *enc, int len) + { + int rlen; + int i; +@@ -270,12 +264,8 @@ int decode_len(fp, enc, len) + /* + * This is the printing function for bit strings + */ +-int do_prim_bitstring(fp, tag, enc, len, lev) +- FILE *fp; +- int tag; +- unsigned char *enc; +- int len; +- int lev; ++int ++do_prim_bitstring(FILE *fp, int tag, unsigned char *enc, int len, int lev) + { + int i; + long num = 0; +@@ -297,12 +287,8 @@ int do_prim_bitstring(fp, tag, enc, len, lev) + /* + * This is the printing function for integers + */ +-int do_prim_int(fp, tag, enc, len, lev) +- FILE *fp; +- int tag; +- unsigned char *enc; +- int len; +- int lev; ++int ++do_prim_int(FILE *fp, int tag, unsigned char *enc, int len, int lev) + { + int i; + long num = 0; +@@ -327,12 +313,8 @@ int do_prim_int(fp, tag, enc, len, lev) + * This is the printing function which we use if it's a string or + * other other type which is best printed as a string + */ +-int do_prim_string(fp, tag, enc, len, lev) +- FILE *fp; +- int tag; +- unsigned char *enc; +- int len; +- int lev; ++int ++do_prim_string(FILE *fp, int tag, unsigned char *enc, int len, int lev) + { + int i; + +@@ -349,12 +331,8 @@ int do_prim_string(fp, tag, enc, len, lev) + return 1; + } + +-int do_prim(fp, tag, enc, len, lev) +- FILE *fp; +- int tag; +- unsigned char *enc; +- int len; +- int lev; ++int ++do_prim(FILE *fp, int tag, unsigned char *enc, int len, int lev) + { + int n; + int i; +@@ -396,12 +374,8 @@ int do_prim(fp, tag, enc, len, lev) + return(OK); + } + +-int do_cons(fp, enc, len, lev, rlen) +- FILE *fp; +- unsigned char *enc; +- int len; +- int lev; +- int *rlen; ++int ++do_cons(FILE *fp, unsigned char *enc, int len, int lev, int *rlen) + { + int n; + int r = 0; +@@ -430,9 +404,8 @@ struct typestring_table { + int new_appl; + }; + +-static char *lookup_typestring(table, key1, key2) +- struct typestring_table *table; +- int key1, key2; ++static char * ++lookup_typestring(struct typestring_table *table, int key1, int key2) + { + struct typestring_table *ent; + +@@ -700,10 +673,8 @@ struct typestring_table krb5_fields[] = { + }; + #endif + +-void print_tag_type(fp, eid, lev) +- FILE *fp; +- int eid; +- int lev; ++void ++print_tag_type(FILE *fp, int eid, int lev) + { + int tag = eid & ID_TAG; + int do_space = 1; +diff --git a/src/tests/conccache.c b/src/tests/conccache.c +index 7b0ca6300c..9fe5305761 100644 +--- a/src/tests/conccache.c ++++ b/src/tests/conccache.c +@@ -110,7 +110,7 @@ refresh_cache(krb5_context context) + } + + static pid_t +-spawn_cred_subprocess() ++spawn_cred_subprocess(void) + { + krb5_context context; + pid_t pid; +@@ -133,7 +133,7 @@ spawn_cred_subprocess() + } + + static pid_t +-spawn_refresh_subprocess() ++spawn_refresh_subprocess(void) + { + krb5_context context; + pid_t pid; +diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c +index 7c0666601c..61ca9f67a2 100644 +--- a/src/tests/create/kdb5_mkdums.c ++++ b/src/tests/create/kdb5_mkdums.c +@@ -56,9 +56,7 @@ struct mblock { + int set_dbname_help (char *, char *); + + static void +-usage(who, status) +- char *who; +- int status; ++usage(char *who, int status) + { + fprintf(stderr, + "usage: %s -p prefix -n num_to_create [-d dbpathname] [-r realmname]\n", +@@ -83,9 +81,7 @@ static krb5_boolean manual_mkey = FALSE; + void add_princ (krb5_context, char *); + + int +-main(argc, argv) +- int argc; +- char *argv[]; ++main(int argc, char *argv[]) + { + extern char *optarg; + int optchar, i, n; +@@ -209,9 +205,7 @@ main(argc, argv) + } + + void +-add_princ(context, str_newprinc) +- krb5_context context; +- char * str_newprinc; ++add_princ(krb5_context context, char *str_newprinc) + { + krb5_error_code retval; + krb5_principal newprinc; +@@ -317,9 +311,7 @@ error: /* Do cleanup of newentry regardless of error */ + } + + int +-set_dbname_help(pname, dbname) +- char *pname; +- char *dbname; ++set_dbname_help(char *pname, char *dbname) + { + krb5_error_code retval; + krb5_data pwd, scratch; +diff --git a/src/tests/forward.c b/src/tests/forward.c +index 7327cc9e62..90f359a586 100644 +--- a/src/tests/forward.c ++++ b/src/tests/forward.c +@@ -51,7 +51,7 @@ check(krb5_error_code code) + } + + int +-main() ++main(void) + { + krb5_ccache cc; + krb5_creds mcred, tgt, *fcred; +diff --git a/src/tests/gss-threads/gss-client.c b/src/tests/gss-threads/gss-client.c +index c0cf25ddaa..8c006c2915 100644 +--- a/src/tests/gss-threads/gss-client.c ++++ b/src/tests/gss-threads/gss-client.c +@@ -68,7 +68,7 @@ + static int verbose = 1; + + static void +-usage() ++usage(void) + { + fprintf(stderr, "Usage: gss-client [-port port] [-mech mechanism] [-d]\n"); + fprintf(stderr, " [-seq] [-noreplay] [-nomutual]"); +@@ -134,7 +134,7 @@ get_server_info(char *host, u_short port) + * displayed and -1 is returned. + */ + static int +-connect_to_server() ++connect_to_server(void) + { + int s; + +diff --git a/src/tests/gss-threads/gss-server.c b/src/tests/gss-threads/gss-server.c +index a9f980edb2..e0a37738e4 100644 +--- a/src/tests/gss-threads/gss-server.c ++++ b/src/tests/gss-threads/gss-server.c +@@ -74,7 +74,7 @@ + #endif + + static void +-usage() ++usage(void) + { + fprintf(stderr, "Usage: gss-server [-port port] [-verbose] [-once]"); + #ifdef _WIN32 +diff --git a/src/tests/gssapi/reload.c b/src/tests/gssapi/reload.c +index 4fe3565406..00bda32330 100644 +--- a/src/tests/gssapi/reload.c ++++ b/src/tests/gssapi/reload.c +@@ -64,7 +64,7 @@ load_gssapi(void) + } + + int +-main() ++main(void) + { + void *support; + +diff --git a/src/tests/gssapi/t_add_cred.c b/src/tests/gssapi/t_add_cred.c +index 68b37e3ed9..7ab52d6449 100644 +--- a/src/tests/gssapi/t_add_cred.c ++++ b/src/tests/gssapi/t_add_cred.c +@@ -43,7 +43,7 @@ + #include "common.h" + + int +-main() ++main(void) + { + OM_uint32 minor, major; + gss_cred_id_t cred1, cred2; +diff --git a/src/tests/gssapi/t_enctypes.c b/src/tests/gssapi/t_enctypes.c +index 3fd31e2f8c..3325db7696 100644 +--- a/src/tests/gssapi/t_enctypes.c ++++ b/src/tests/gssapi/t_enctypes.c +@@ -47,7 +47,7 @@ + */ + + static void +-usage() ++usage(void) + { + errout("Usage: t_enctypes [-i initenctypes] [-a accenctypes] " + "targetname"); +diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c +index 8192935099..a052b8ab6e 100644 +--- a/src/tests/gssapi/t_invalid.c ++++ b/src/tests/gssapi/t_invalid.c +@@ -547,7 +547,7 @@ try_accept(void *value, size_t len) + + /* Accept contexts using superficially valid but truncated encapsulations. */ + static void +-test_short_encapsulation() ++test_short_encapsulation(void) + { + /* Include just the initial application tag, to see if we overrun reading + * the sequence length. */ +diff --git a/src/tests/gssapi/t_oid.c b/src/tests/gssapi/t_oid.c +index 1c9d394167..64253133d2 100644 +--- a/src/tests/gssapi/t_oid.c ++++ b/src/tests/gssapi/t_oid.c +@@ -129,7 +129,7 @@ oid_equal(gss_OID o1, gss_OID o2) + } + + int +-main() ++main(void) + { + size_t i; + OM_uint32 major, minor; +diff --git a/src/tests/gssapi/t_spnego.c b/src/tests/gssapi/t_spnego.c +index 2483228b1b..4091739f83 100644 +--- a/src/tests/gssapi/t_spnego.c ++++ b/src/tests/gssapi/t_spnego.c +@@ -195,7 +195,7 @@ test_mskrb_oid(gss_name_t tname, gss_cred_id_t acred) + /* Check that we return a compatibility NegTokenInit2 message containing + * NegHints for an empty initiator token. */ + static void +-test_neghints() ++test_neghints(void) + { + OM_uint32 major, minor; + gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok; +diff --git a/src/tests/hammer/kdc5_hammer.c b/src/tests/hammer/kdc5_hammer.c +index 8220fd97bd..76ef527ccf 100644 +--- a/src/tests/hammer/kdc5_hammer.c ++++ b/src/tests/hammer/kdc5_hammer.c +@@ -68,9 +68,7 @@ int get_tgt + krb5_ccache); + + static void +-usage(who, status) +-char *who; +-int status; ++usage(char *who, int status) + { + fprintf(stderr, + "usage: %s -p prefix -n num_to_check [-c cachename] [-r realmname]\n", +@@ -100,9 +98,7 @@ struct h_timer tgs_req_times = { 0.0, 1000000.0, -1.0, 0 }; + tstart_time.tv_usec))/1000000.0))) + + int +-main(argc, argv) +- int argc; +- char **argv; ++main(int argc, char **argv) + { + krb5_ccache ccache = NULL; + char *cache_name = NULL; /* -f option */ +@@ -271,11 +267,8 @@ main(argc, argv) + + + static krb5_error_code +-get_server_key(context, server, enctype, key) +- krb5_context context; +- krb5_principal server; +- krb5_enctype enctype; +- krb5_keyblock ** key; ++get_server_key(krb5_context context, krb5_principal server, ++ krb5_enctype enctype, krb5_keyblock **key) + { + krb5_error_code retval; + krb5_encrypt_block eblock; +@@ -311,15 +304,10 @@ cleanup_salt: + return retval; + } + +-int verify_cs_pair(context, p_client_str, p_client, service, hostname, +- p_num, c_depth, s_depth, ccache) +- krb5_context context; +- char *p_client_str; +- krb5_principal p_client; +- char * service; +- char * hostname; +- int p_num, c_depth, s_depth; +- krb5_ccache ccache; ++int ++verify_cs_pair(krb5_context context, char *p_client_str, ++ krb5_principal p_client, char *service, char *hostname, ++ int p_num, int c_depth, int s_depth, krb5_ccache ccache) + { + krb5_error_code retval; + krb5_creds creds; +@@ -433,11 +421,9 @@ cleanup: + return retval; + } + +-int get_tgt (context, p_client_str, p_client, ccache) +- krb5_context context; +- char *p_client_str; +- krb5_principal *p_client; +- krb5_ccache ccache; ++int ++get_tgt(krb5_context context, char *p_client_str, krb5_principal *p_client, ++ krb5_ccache ccache) + { + long lifetime = KRB5_DEFAULT_LIFE; /* -l option */ + krb5_error_code code; +diff --git a/src/tests/kdbtest.c b/src/tests/kdbtest.c +index 3f61f3e83b..6459c3390f 100644 +--- a/src/tests/kdbtest.c ++++ b/src/tests/kdbtest.c +@@ -271,7 +271,7 @@ iter_pol_handler(void *data, osa_policy_ent_t pol) + } + + int +-main() ++main(void) + { + krb5_db_entry *ent; + osa_policy_ent_t pol; +diff --git a/src/tests/misc/test_getpw.c b/src/tests/misc/test_getpw.c +index 6031e15035..59ff5d3a5d 100644 +--- a/src/tests/misc/test_getpw.c ++++ b/src/tests/misc/test_getpw.c +@@ -32,7 +32,7 @@ + #include + #include + +-int main() ++int main(void) + { + uid_t my_uid; + struct passwd *pwd, pwx; +diff --git a/src/tests/plugorder.c b/src/tests/plugorder.c +index e1245e4765..a2b7e34eea 100644 +--- a/src/tests/plugorder.c ++++ b/src/tests/plugorder.c +@@ -77,7 +77,7 @@ blt3(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable) + } + + int +-main() ++main(void) + { + krb5_plugin_initvt_fn *modules = NULL, *mod; + struct krb5_pwqual_vtable_st vt; +diff --git a/src/tests/shlib/t_loader.c b/src/tests/shlib/t_loader.c +index 29481a7be2..203f023f69 100644 +--- a/src/tests/shlib/t_loader.c ++++ b/src/tests/shlib/t_loader.c +@@ -180,7 +180,7 @@ static void do_close(void *libhandle) + + #endif + +-int main() ++int main(void) + { + void *celib, *k5lib, *gsslib, *celib2; + +diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c +index 82b05ff0da..908f926405 100644 +--- a/src/tests/softpkcs11/main.c ++++ b/src/tests/softpkcs11/main.c +@@ -860,7 +860,7 @@ func_not_supported(void) + } + + static char * +-get_rcfilename() ++get_rcfilename(void) + { + struct passwd *pw; + const char *home = NULL; +diff --git a/src/tests/t_inetd.c b/src/tests/t_inetd.c +index d22cf31ffa..3790467c7b 100644 +--- a/src/tests/t_inetd.c ++++ b/src/tests/t_inetd.c +@@ -59,16 +59,15 @@ + + char *progname; + +-static void usage() ++static void ++usage(void) + { + fprintf(stderr, "%s: port program argv0 argv1 ...\n", progname); + exit(1); + } + + int +-main(argc, argv) +- int argc; +- char **argv; ++main(int argc, char **argv) + { + unsigned short port; + char *path; +diff --git a/src/tests/test1.c b/src/tests/test1.c +index aed656ebe3..b213a349bf 100644 +--- a/src/tests/test1.c ++++ b/src/tests/test1.c +@@ -31,7 +31,7 @@ unsigned char key_two[8] = { 0xea, 0x89, 0x57, 0x76, 0x5b, 0xcd, 0x0d, 0x34 }; + + extern void dump_data(); + +-tkt_test_1() ++tkt_test_1(void) + { + krb5_data *data; + krb5_ticket tk_in, *tk_out; +@@ -185,7 +185,7 @@ tkt_test_1() + + + +-main() ++main(void) + { + krb5_init_ets(); + tkt_test_1(); +diff --git a/src/tests/verify/kdb5_verify.c b/src/tests/verify/kdb5_verify.c +index 3b152baed6..d53e92ad45 100644 +--- a/src/tests/verify/kdb5_verify.c ++++ b/src/tests/verify/kdb5_verify.c +@@ -50,9 +50,7 @@ struct mblock { + int set_dbname_help (krb5_context, char *, char *); + + static void +-usage(who, status) +- char *who; +- int status; ++usage(char *who, int status) + { + fprintf(stderr, + "usage: %s -p prefix -n num_to_check [-d dbpathname] [-r realmname]\n", +@@ -78,9 +76,7 @@ static krb5_boolean manual_mkey = FALSE; + int check_princ (krb5_context, char *); + + int +-main(argc, argv) +- int argc; +- char *argv[]; ++main(int argc, char *argv[]) + { + extern char *optarg; + int optchar, i, n; +@@ -221,9 +217,7 @@ main(argc, argv) + } + + int +-check_princ(context, str_princ) +- krb5_context context; +- char * str_princ; ++check_princ(krb5_context context, char *str_princ) + { + krb5_error_code retval; + krb5_db_entry *kdbe = NULL; +@@ -343,10 +337,7 @@ out: + } + + int +-set_dbname_help(context, pname, dbname) +- krb5_context context; +- char *pname; +- char *dbname; ++set_dbname_help(krb5_context context, char *pname, char *dbname) + { + krb5_error_code retval; + krb5_data pwd, scratch; +diff --git a/src/util/et/error_message.c b/src/util/et/error_message.c +index 7dc02a34ea..13ad3af6a2 100644 +--- a/src/util/et/error_message.c ++++ b/src/util/et/error_message.c +@@ -82,7 +82,7 @@ void com_err_terminate(void) + #endif + + static char * +-get_thread_buffer () ++get_thread_buffer(void) + { + char *cp; + cp = k5_getspecific(K5_KEY_COM_ERR); +diff --git a/src/util/et/test_et.c b/src/util/et/test_et.c +index 9faf10f460..2002e5ff46 100644 +--- a/src/util/et/test_et.c ++++ b/src/util/et/test_et.c +@@ -17,7 +17,8 @@ extern const char *error_table_name (errcode_t); + extern int sys_nerr; + #endif + +-int main() ++int ++main(void) + { + printf("Before initiating error table:\n\n"); + #ifndef EXPORT_LIST +diff --git a/src/util/profile/prof_init.c b/src/util/profile/prof_init.c +index cc92248f42..077c852e49 100644 +--- a/src/util/profile/prof_init.c ++++ b/src/util/profile/prof_init.c +@@ -103,7 +103,7 @@ init_load_module(const char *modspec, profile_t *ret_profile) + struct errinfo einfo = { 0 }; + prf_lib_handle_t lib_handle = NULL; + struct plugin_file_handle *plhandle = NULL; +- void *cbdata = NULL, (*fptr)(); ++ void *cbdata = NULL, (*fptr)(void); + int have_lock = 0, have_cbdata = 0; + struct profile_vtable vtable = { 1 }; /* Set minor_ver to 1, rest null. */ + errcode_t err; +diff --git a/src/util/profile/t_profile.c b/src/util/profile/t_profile.c +index b0e715ba02..bffd115618 100644 +--- a/src/util/profile/t_profile.c ++++ b/src/util/profile/t_profile.c +@@ -72,7 +72,7 @@ write_file(const char *name, int nlines, ...) + /* Regression test for #2685 (profile iterator breaks when modifications + * made) */ + static void +-test_iterate() ++test_iterate(void) + { + profile_t p; + void *iter; +@@ -129,7 +129,7 @@ test_iterate() + * global shared profiles list. + */ + static void +-test_shared() ++test_shared(void) + { + profile_t a, b; + struct utimbuf times; +@@ -164,7 +164,7 @@ test_shared() + /* Regression test for #2950 (profile_clear_relation not reflected within + * handle where deletion is performed) */ + static void +-test_clear() ++test_clear(void) + { + profile_t p; + const char *names[] = { "test section 1", "quux", NULL }; +@@ -183,7 +183,7 @@ test_clear() + } + + static void +-test_include() ++test_include(void) + { + profile_t p; + const char *names[] = { "test section 1", "bar", NULL }; +@@ -237,7 +237,7 @@ test_include() + + /* Test syntactic independence of included profile files. */ + static void +-test_independence() ++test_independence(void) + { + profile_t p; + const char *names1[] = { "sec1", "var", "a", NULL }; +@@ -264,7 +264,7 @@ test_independence() + + /* Regression test for #7971 (deleted sections should not be iterable) */ + static void +-test_delete_section() ++test_delete_section(void) + { + profile_t p; + const char *sect[] = { "test section 1", NULL }; +@@ -290,7 +290,7 @@ test_delete_section() + /* Regression test for #7971 (profile_clear_relation() error with deleted node + * at end of value set) */ + static void +-test_delete_clear_relation() ++test_delete_clear_relation(void) + { + profile_t p; + const char *names[] = { "test section 1", "testkey", NULL }; +@@ -305,7 +305,7 @@ test_delete_clear_relation() + + /* Test that order of relations is preserved if some relations are deleted. */ + static void +-test_delete_ordering() ++test_delete_ordering(void) + { + profile_t p; + const char *names[] = { "test section 1", "testkey", NULL }; +@@ -329,7 +329,7 @@ test_delete_ordering() + /* Regression test for #8431 (profile_flush_to_file erroneously changes flag + * state on source object) */ + static void +-test_flush_to_file() ++test_flush_to_file(void) + { + profile_t p; + +@@ -349,7 +349,7 @@ test_flush_to_file() + /* Regression test for #7863 (multiply-specified subsections should + * be merged) */ + static void +-test_merge_subsections() ++test_merge_subsections(void) + { + profile_t p; + const char *n1[] = { "test section 2", "child_section2", "child", NULL }; +@@ -374,7 +374,7 @@ test_merge_subsections() + } + + int +-main() ++main(void) + { + test_iterate(); + test_shared(); +diff --git a/src/util/profile/test_load.c b/src/util/profile/test_load.c +index cb870eff93..fe2d1e3e72 100644 +--- a/src/util/profile/test_load.c ++++ b/src/util/profile/test_load.c +@@ -29,7 +29,7 @@ + #include "prof_int.h" + + int +-main() ++main(void) + { + profile_t pr, pr2; + const char *files[] = { "./modtest.conf", NULL }; +diff --git a/src/util/profile/test_parse.c b/src/util/profile/test_parse.c +index 9f2631e949..0532254e8c 100644 +--- a/src/util/profile/test_parse.c ++++ b/src/util/profile/test_parse.c +@@ -11,9 +11,8 @@ + + void dump_profile (struct profile_node *root, int level); + +-int main(argc, argv) +- int argc; +- char **argv; ++int ++main(int argc, char **argv) + { + struct profile_node *root; + unsigned long retval; +diff --git a/src/util/profile/test_profile.c b/src/util/profile/test_profile.c +index 6f6fcc7ac5..31b1063951 100644 +--- a/src/util/profile/test_profile.c ++++ b/src/util/profile/test_profile.c +@@ -19,8 +19,8 @@ const char *program_name = "test_profile"; + #define PRINT_VALUE 1 + #define PRINT_VALUES 2 + +-static void do_batchmode(profile) +- profile_t profile; ++static void ++do_batchmode(profile_t profile) + { + errcode_t retval; + int argc, ret; +@@ -108,10 +108,8 @@ static void do_batchmode(profile) + + } + +- +-int main(argc, argv) +- int argc; +- char **argv; ++int ++main(int argc, char **argv) + { + profile_t profile; + long retval; +diff --git a/src/util/profile/test_vtable.c b/src/util/profile/test_vtable.c +index 9a0b2278a7..a7b6f54ae9 100644 +--- a/src/util/profile/test_vtable.c ++++ b/src/util/profile/test_vtable.c +@@ -232,7 +232,8 @@ struct profile_vtable full_vtable = { + full_flush + }; + +-int main() ++int ++main(void) + { + profile_t profile; + char **values, *str, *name, *value; +diff --git a/src/util/ss/error.c b/src/util/ss/error.c +index b5768a62b7..e5cd1b2d12 100644 +--- a/src/util/ss/error.c ++++ b/src/util/ss/error.c +@@ -33,8 +33,8 @@ + #include "com_err.h" + #include "copyright.h" + +-char * ss_name(sci_idx) +- int sci_idx; ++char * ++ss_name(int sci_idx) + { + ss_data *infop; + +@@ -50,7 +50,8 @@ char * ss_name(sci_idx) + } + } + +-void ss_error (int sci_idx, long code, const char * fmt, ...) ++void ++ss_error(int sci_idx, long code, const char *fmt, ...) + { + char *whoami; + va_list pvar; +@@ -61,10 +62,8 @@ void ss_error (int sci_idx, long code, const char * fmt, ...) + va_end(pvar); + } + +-void ss_perror (sci_idx, code, msg) /* for compatibility */ +- int sci_idx; +- long code; +- char const *msg; ++void ++ss_perror(int sci_idx, long code, char const *msg) /* for compatibility */ + { + ss_error (sci_idx, code, "%s", msg); + } +diff --git a/src/util/ss/execute_cmd.c b/src/util/ss/execute_cmd.c +index c06ee56547..065c24148b 100644 +--- a/src/util/ss/execute_cmd.c ++++ b/src/util/ss/execute_cmd.c +@@ -52,11 +52,9 @@ + * Notes: + */ + +-static int check_request_table (rqtbl, argc, argv, sci_idx) +- ss_request_table *rqtbl; +- int argc; +- char *argv[]; +- int sci_idx; ++static int ++check_request_table(ss_request_table *rqtbl, int argc, char *argv[], ++ int sci_idx) + { + ss_request_entry *request; + ss_data *info; +@@ -101,10 +99,8 @@ static int check_request_table (rqtbl, argc, argv, sci_idx) + * Notes: + */ + +-static int really_execute_command (sci_idx, argc, argv) +- int sci_idx; +- int argc; +- char **argv[]; ++static int ++really_execute_command(int sci_idx, int argc, char **argv[]) + { + ss_request_table **rqtbl; + ss_data *info; +@@ -135,9 +131,7 @@ static int really_execute_command (sci_idx, argc, argv) + */ + + int +-ss_execute_command(sci_idx, argv) +- int sci_idx; +- char *argv[]; ++ss_execute_command(int sci_idx, char *argv[]) + { + unsigned int i, argc; + char **argp; +@@ -172,9 +166,8 @@ ss_execute_command(sci_idx, argv) + * Notes: + */ + +-int ss_execute_line (sci_idx, line_ptr) +- int sci_idx; +- char *line_ptr; ++int ++ss_execute_line(int sci_idx, char *line_ptr) + { + char **argv; + int argc, ret; +diff --git a/src/util/ss/help.c b/src/util/ss/help.c +index 6d333c9710..747fde5351 100644 +--- a/src/util/ss/help.c ++++ b/src/util/ss/help.c +@@ -15,11 +15,8 @@ + #include "copyright.h" + + +-void ss_help (argc, argv, sci_idx, info_ptr) +- int argc; +- char const * const *argv; +- int sci_idx; +- pointer info_ptr; ++void ++ss_help(int argc, char const * const *argv, int sci_idx, pointer info_ptr) + { + char buffer[MAXPATHLEN]; + char const *request_name; +@@ -81,15 +78,11 @@ got_it: + ss_page_stdin(); + default: + (void) close(fd); /* what can we do if it fails? */ +-#ifdef WAIT_USES_INT +- while (wait((int *)NULL) != child) { +-#else +- while (wait((union wait *)NULL) != child) { +-#endif +- /* do nothing if wrong pid */ +- }; +- } ++ while (wait(NULL) != child) { ++ /* do nothing if wrong pid */ ++ }; + } ++} + + #ifndef USE_DIRENT_H + #include +@@ -97,60 +90,56 @@ got_it: + #include + #endif + +- void ss_add_info_dir(sci_idx, info_dir, code_ptr) +- int sci_idx; +- char *info_dir; +- int *code_ptr; +- { +- ss_data *info; +- DIR *d; +- int n_dirs; +- char **dirs; ++void ++ss_add_info_dir(int sci_idx, char *info_dir, int *code_ptr) ++{ ++ ss_data *info; ++ DIR *d; ++ int n_dirs; ++ char **dirs; + +- info = ss_info(sci_idx); +- if ((info_dir == NULL) || (*info_dir == '\0')) { +- *code_ptr = SS_ET_NO_INFO_DIR; +- return; +- } +- if ((d = opendir(info_dir)) == (DIR *)NULL) { +- *code_ptr = errno; +- return; +- } +- closedir(d); +- dirs = info->info_dirs; +- for (n_dirs = 0; dirs[n_dirs] != (char *)NULL; n_dirs++) +- ; /* get number of non-NULL dir entries */ +- dirs = (char **)realloc((char *)dirs, +- (unsigned)(n_dirs + 2)*sizeof(char *)); +- if (dirs == (char **)NULL) { +- info->info_dirs = (char **)NULL; +- *code_ptr = errno; +- return; +- } +- info->info_dirs = dirs; +- dirs[n_dirs + 1] = (char *)NULL; +- dirs[n_dirs] = strdup(info_dir); +- *code_ptr = 0; ++ info = ss_info(sci_idx); ++ if ((info_dir == NULL) || (*info_dir == '\0')) { ++ *code_ptr = SS_ET_NO_INFO_DIR; ++ return; ++ } ++ if ((d = opendir(info_dir)) == (DIR *)NULL) { ++ *code_ptr = errno; ++ return; + } ++ closedir(d); ++ dirs = info->info_dirs; ++ for (n_dirs = 0; dirs[n_dirs] != (char *)NULL; n_dirs++) ++ ; /* get number of non-NULL dir entries */ ++ dirs = (char **)realloc((char *)dirs, ++ (unsigned)(n_dirs + 2)*sizeof(char *)); ++ if (dirs == (char **)NULL) { ++ info->info_dirs = (char **)NULL; ++ *code_ptr = errno; ++ return; ++ } ++ info->info_dirs = dirs; ++ dirs[n_dirs + 1] = (char *)NULL; ++ dirs[n_dirs] = strdup(info_dir); ++ *code_ptr = 0; ++} + +- void ss_delete_info_dir(sci_idx, info_dir, code_ptr) +- int sci_idx; +- char *info_dir; +- int *code_ptr; +- { +- char **i_d; +- char **info_dirs; ++void ++ss_delete_info_dir(int sci_idx, char *info_dir, int *code_ptr) ++{ ++ char **i_d; ++ char **info_dirs; + +- info_dirs = ss_info(sci_idx)->info_dirs; +- for (i_d = info_dirs; *i_d; i_d++) { +- if (!strcmp(*i_d, info_dir)) { +- while (*i_d) { +- *i_d = *(i_d+1); +- i_d++; +- } +- *code_ptr = 0; +- return; ++ info_dirs = ss_info(sci_idx)->info_dirs; ++ for (i_d = info_dirs; *i_d; i_d++) { ++ if (!strcmp(*i_d, info_dir)) { ++ while (*i_d) { ++ *i_d = *(i_d+1); ++ i_d++; + } ++ *code_ptr = 0; ++ return; + } +- *code_ptr = SS_ET_NO_INFO_DIR; + } ++ *code_ptr = SS_ET_NO_INFO_DIR; ++} +diff --git a/src/util/ss/invocation.c b/src/util/ss/invocation.c +index 378bc3e927..7736c957d4 100644 +--- a/src/util/ss/invocation.c ++++ b/src/util/ss/invocation.c +@@ -36,12 +36,10 @@ + _ss_table[sci_idx], make sure you change the allocation routine to + not assume there are no null pointers in the middle of the + array. */ +-int ss_create_invocation(subsystem_name, version_string, info_ptr, +- request_table_ptr, code_ptr) +- char *subsystem_name, *version_string; +- char *info_ptr; +- ss_request_table *request_table_ptr; +- int *code_ptr; ++int ++ss_create_invocation(char *subsystem_name, char *version_string, ++ char *info_ptr, ss_request_table *request_table_ptr, ++ int *code_ptr) + { + int sci_idx; + ss_data *new_table; +@@ -115,8 +113,7 @@ int ss_create_invocation(subsystem_name, version_string, info_ptr, + } + + void +-ss_delete_invocation(sci_idx) +- int sci_idx; ++ss_delete_invocation(int sci_idx) + { + ss_data *t; + int ignored_code; +diff --git a/src/util/ss/list_rqs.c b/src/util/ss/list_rqs.c +index c0882bf908..8376e21be8 100644 +--- a/src/util/ss/list_rqs.c ++++ b/src/util/ss/list_rqs.c +@@ -21,15 +21,8 @@ static char const twentyfive_spaces[26] = + static char const NL[2] = "\n"; + + void +-ss_list_requests(argc, argv, sci_idx, info_ptr) +- int argc; +- const char * const *argv; +- int sci_idx; +-#ifdef __STDC__ +- void *info_ptr; +-#else +- char *info_ptr; +-#endif ++ss_list_requests(int argc, const char * const *argv, int sci_idx, ++ void *info_ptr) + { + ss_request_entry *entry; + char const *const *name; +diff --git a/src/util/ss/listen.c b/src/util/ss/listen.c +index fe18475447..79f258fbc4 100644 +--- a/src/util/ss/listen.c ++++ b/src/util/ss/listen.c +@@ -28,7 +28,8 @@ static jmp_buf listen_jmpb; + + #ifdef NO_READLINE + /* Dumb replacement for readline when we don't have support for a real one. */ +-static char *readline(const char *prompt) ++static char * ++readline(const char *prompt) + { + struct termios termbuf; + char input[BUFSIZ]; +@@ -49,20 +50,21 @@ static char *readline(const char *prompt) + } + + /* No-op replacement for add_history() when we have no readline support. */ +-static void add_history(const char *line) ++static void ++add_history(const char *line) + { + } + #endif + +-static void listen_int_handler(signo) +- int signo; ++static void ++listen_int_handler(int signo) + { + putc('\n', stdout); + longjmp(listen_jmpb, 1); + } + +-int ss_listen (sci_idx) +- int sci_idx; ++int ++ss_listen(int sci_idx) + { + char *cp; + ss_data *info; +@@ -83,12 +85,12 @@ int ss_listen (sci_idx) + info->abort = 0; + + #ifdef POSIX_SIGNALS +- csig.sa_handler = (void (*)())0; ++ csig.sa_handler = (void (*)(int))0; + sigemptyset(&nmask); + sigaddset(&nmask, SIGINT); + sigprocmask(SIG_BLOCK, &nmask, &omask); + #else +- sig_cont = (void (*)())0; ++ sig_cont = (void (*)(int))0; + mask = sigblock(sigmask(SIGINT)); + #endif + +@@ -115,7 +117,7 @@ int ss_listen (sci_idx) + nsig.sa_handler = listen_int_handler; /* fgets is not signal-safe */ + osig = csig; + sigaction(SIGCONT, &nsig, &csig); +- if ((void (*)())csig.sa_handler==(void (*)())listen_int_handler) ++ if ((void (*)(int))csig.sa_handler==(void (*)(int))listen_int_handler) + csig = osig; + #else + old_sig_cont = sig_cont; +@@ -166,20 +168,16 @@ egress: + return code; + } + +-void ss_abort_subsystem(sci_idx, code) +- int sci_idx; +- int code; ++void ++ss_abort_subsystem(int sci_idx, int code) + { + ss_info(sci_idx)->abort = 1; + ss_info(sci_idx)->exit_status = code; + + } + +-void ss_quit(argc, argv, sci_idx, infop) +- int argc; +- char const * const *argv; +- int sci_idx; +- pointer infop; ++void ++ss_quit(int argc, char const * const *argv, int sci_idx, pointer infop) + { + ss_abort_subsystem(sci_idx, 0); + } +diff --git a/src/util/ss/pager.c b/src/util/ss/pager.c +index 3e47ed3993..255c721ad1 100644 +--- a/src/util/ss/pager.c ++++ b/src/util/ss/pager.c +@@ -10,13 +10,13 @@ + #include "copyright.h" + #include + #include ++#include + #include + #include + #include + + static char MORE[] = "more"; + extern char *_ss_pager_name; +-extern char *getenv(); + + /* + * this needs a *lot* of work.... +@@ -25,10 +25,10 @@ extern char *getenv(); + * handle SIGINT sensibly + * allow finer control -- put-page-break-here + */ +-void ss_page_stdin(); ++void ss_page_stdin(void); + + #ifndef NO_FORK +-int ss_pager_create() ++int ss_pager_create(void) + { + int filedes[2]; + +@@ -56,7 +56,7 @@ int ss_pager_create() + } + } + #else /* don't fork */ +-int ss_pager_create() ++int ss_pager_create(void) + { + int fd; + fd = open("/dev/tty", O_WRONLY, 0); +@@ -66,7 +66,7 @@ int ss_pager_create() + } + #endif + +-void ss_page_stdin() ++void ss_page_stdin(void) + { + int i; + #ifdef POSIX_SIGNALS +diff --git a/src/util/ss/parse.c b/src/util/ss/parse.c +index 78a831bf36..6fb031cdcd 100644 +--- a/src/util/ss/parse.c ++++ b/src/util/ss/parse.c +@@ -53,10 +53,8 @@ enum parse_mode { WHITESPACE, TOKEN, QUOTED_STRING }; + #define NEW_ARGV(old,n) (char **)realloc((char *)old, \ + (unsigned)(n+2)*sizeof(char*)) + +-char **ss_parse (sci_idx, line_ptr, argc_ptr) +- int sci_idx; +- char *line_ptr; +- int *argc_ptr; ++char ** ++ss_parse(int sci_idx, char *line_ptr, int *argc_ptr) + { + char **argv, *cp; + char **newargv; +diff --git a/src/util/ss/prompt.c b/src/util/ss/prompt.c +index 5aa2ad6140..48e57d6702 100644 +--- a/src/util/ss/prompt.c ++++ b/src/util/ss/prompt.c +@@ -11,16 +11,13 @@ + #include "ss_internal.h" + + void +-ss_set_prompt(sci_idx, new_prompt) +- int sci_idx; +- char *new_prompt; ++ss_set_prompt(int sci_idx, char *new_prompt) + { + ss_info(sci_idx)->prompt = new_prompt; + } + + char * +-ss_get_prompt(sci_idx) +- int sci_idx; ++ss_get_prompt(int sci_idx) + { + return(ss_info(sci_idx)->prompt); + } +diff --git a/src/util/ss/request_tbl.c b/src/util/ss/request_tbl.c +index 03cde1b7d0..fc4461bb00 100644 +--- a/src/util/ss/request_tbl.c ++++ b/src/util/ss/request_tbl.c +@@ -11,11 +11,7 @@ + #define ssrt ss_request_table /* for some readable code... */ + + void +-ss_add_request_table(sci_idx, rqtbl_ptr, position, code_ptr) +- int sci_idx; +- ssrt *rqtbl_ptr; +- int position; /* 1 -> becomes second... */ +- int *code_ptr; ++ss_add_request_table(int sci_idx, ssrt *rqtbl_ptr, int position, int *code_ptr) + { + ss_data *info; + int i, size; +@@ -44,10 +40,7 @@ ss_add_request_table(sci_idx, rqtbl_ptr, position, code_ptr) + } + + void +-ss_delete_request_table(sci_idx, rqtbl_ptr, code_ptr) +- int sci_idx; +- ssrt *rqtbl_ptr; +- int *code_ptr; ++ss_delete_request_table(int sci_idx, ssrt *rqtbl_ptr, int *code_ptr) + { + ss_data *info; + ssrt **rt1, **rt2; +diff --git a/src/util/ss/requests.c b/src/util/ss/requests.c +index aa6752fa11..651f2201d2 100644 +--- a/src/util/ss/requests.c ++++ b/src/util/ss/requests.c +@@ -9,7 +9,7 @@ + #include + #include "ss_internal.h" + +-#define DECLARE(name) void name(argc,argv,sci_idx,info_ptr)int argc,sci_idx;const char * const *argv; pointer info_ptr; ++#define DECLARE(name) void name(int argc, const char *const *argv, int sci_idx, pointer info_ptr) + + /* + * ss_self_identify -- assigned by default to the "." request +diff --git a/src/util/ss/ss.h b/src/util/ss/ss.h +index 38d8974e3c..faac0d97c1 100644 +--- a/src/util/ss/ss.h ++++ b/src/util/ss/ss.h +@@ -48,7 +48,6 @@ typedef struct _ss_rp_options { /* DEFAULT VALUES */ + void ss_help __SS_PROTO; + void ss_list_requests __SS_PROTO; + void ss_quit __SS_PROTO; +-char *ss_current_request(); + char *ss_name(int); + void ss_error (int, long, char const *, ...) + #if !defined(__cplusplus) && (__GNUC__ > 2) +diff --git a/src/util/ss/ss_internal.h b/src/util/ss/ss_internal.h +index 1f5ddfff91..cdd88af218 100644 +--- a/src/util/ss/ss_internal.h ++++ b/src/util/ss/ss_internal.h +@@ -84,8 +84,7 @@ typedef struct _ss_data { /* init values */ + #define ss_info(sci_idx) (_ss_table[sci_idx]) + #define ss_current_request(sci_idx,code_ptr) \ + (*code_ptr=0,ss_info(sci_idx)->current_request) +-void ss_unknown_function(); +-void ss_delete_info_dir(); ++void ss_delete_info_dir(int, char *, int *); + char **ss_parse (int, char *, int *); + ss_abbrev_info *ss_abbrev_initialize (char *, int *); + void ss_page_stdin (void); +diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c +index 0850565687..253b118dcb 100644 +--- a/src/util/support/plugins.c ++++ b/src/util/support/plugins.c +@@ -240,13 +240,13 @@ krb5int_get_plugin_data(struct plugin_file_handle *h, const char *csymname, + + long KRB5_CALLCONV + krb5int_get_plugin_func(struct plugin_file_handle *h, const char *csymname, +- void (**sym_out)(), struct errinfo *ep) ++ void (**sym_out)(void), struct errinfo *ep) + { + void *dptr = NULL; + long ret = get_sym(h, csymname, &dptr, ep); + + if (!ret) +- *sym_out = (void (*)())dptr; ++ *sym_out = (void (*)(void))dptr; + return ret; + } + +@@ -552,7 +552,7 @@ krb5int_get_plugin_dir_func (struct plugin_dir_handle *dirhandle, + struct errinfo *ep) + { + long err = 0; +- void (**p)() = NULL; ++ void (**p)(void) = NULL; + size_t count = 0; + + /* XXX Do we need to add a leading "_" to the symbol name on any +@@ -569,10 +569,10 @@ krb5int_get_plugin_dir_func (struct plugin_dir_handle *dirhandle, + int i = 0; + + for (i = 0; !err && (dirhandle->files[i] != NULL); i++) { +- void (*sym)() = NULL; ++ void (*sym)(void) = NULL; + + if (krb5int_get_plugin_func (dirhandle->files[i], symname, &sym, ep) == 0) { +- void (**newp)() = NULL; ++ void (**newp)(void) = NULL; + + count++; + newp = realloc (p, ((count + 1) * sizeof (*p))); /* +1 for NULL */ +diff --git a/src/util/support/t_hashtab.c b/src/util/support/t_hashtab.c +index f51abc4f19..d90d5d9d02 100644 +--- a/src/util/support/t_hashtab.c ++++ b/src/util/support/t_hashtab.c +@@ -104,7 +104,7 @@ const uint64_t vectors[64] = { + }; + + static void +-test_siphash() ++test_siphash(void) + { + uint8_t seq[64]; + uint64_t k0, k1, hval; +@@ -122,7 +122,7 @@ test_siphash() + } + + static void +-test_hashtab() ++test_hashtab(void) + { + int st; + struct k5_hashtab *ht; +@@ -168,7 +168,7 @@ test_hashtab() + } + + int +-main() ++main(void) + { + test_siphash(); + test_hashtab(); +diff --git a/src/util/support/t_hex.c b/src/util/support/t_hex.c +index a586a1bc89..40e6aa2327 100644 +--- a/src/util/support/t_hex.c ++++ b/src/util/support/t_hex.c +@@ -137,7 +137,8 @@ struct { + { "F8F9FAFBFCFDFEFF", "\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF", 8, 1 }, + }; + +-int main() ++int ++main(void) + { + size_t i; + char *hex; +diff --git a/src/util/support/t_json.c b/src/util/support/t_json.c +index 1f229247b4..bacca6f8da 100644 +--- a/src/util/support/t_json.c ++++ b/src/util/support/t_json.c +@@ -86,7 +86,7 @@ check(int pred, const char *str) + } + + static void +-test_array() ++test_array(void) + { + k5_json_string v1; + k5_json_number v2; +diff --git a/src/util/support/t_k5buf.c b/src/util/support/t_k5buf.c +index 734b2720c0..18e7e9b7be 100644 +--- a/src/util/support/t_k5buf.c ++++ b/src/util/support/t_k5buf.c +@@ -54,7 +54,7 @@ check_buf(struct k5buf *buf, const char *name) + } + + static void +-test_basic() ++test_basic(void) + { + struct k5buf buf; + char storage[1024]; +@@ -76,7 +76,7 @@ test_basic() + } + + static void +-test_realloc() ++test_realloc(void) + { + struct k5buf buf; + char data[1024]; +@@ -132,7 +132,7 @@ test_realloc() + } + + static void +-test_overflow() ++test_overflow(void) + { + struct k5buf buf; + char storage[10]; +@@ -153,7 +153,7 @@ test_overflow() + } + + static void +-test_error() ++test_error(void) + { + struct k5buf buf; + char storage[1]; +@@ -173,7 +173,7 @@ test_error() + } + + static void +-test_truncate() ++test_truncate(void) + { + struct k5buf buf; + +@@ -188,7 +188,7 @@ test_truncate() + } + + static void +-test_binary() ++test_binary(void) + { + struct k5buf buf; + char data[] = { 'a', 0, 'b' }, *s; +@@ -205,7 +205,7 @@ test_binary() + } + + static void +-test_fmt() ++test_fmt(void) + { + struct k5buf buf; + char storage[10], data[1024]; +@@ -246,7 +246,7 @@ test_fmt() + } + + int +-main() ++main(void) + { + test_basic(); + test_realloc(); +diff --git a/src/util/support/t_unal.c b/src/util/support/t_unal.c +index f67cd31edf..6d097f0f83 100644 +--- a/src/util/support/t_unal.c ++++ b/src/util/support/t_unal.c +@@ -2,7 +2,8 @@ + #undef NDEBUG + #include "k5-platform.h" + +-int main () ++int ++main(void) + { + /* Test some low-level assumptions the Kerberos code depends + on. */ +-- +2.45.1 + diff --git a/SOURCES/0016-Replace-ssl.wrap_socket-for-tests.patch b/SOURCES/0016-Replace-ssl.wrap_socket-for-tests.patch new file mode 100644 index 0000000..925bf4c --- /dev/null +++ b/SOURCES/0016-Replace-ssl.wrap_socket-for-tests.patch @@ -0,0 +1,64 @@ +From abb95e961f4e6a5482220a64fba843a3adc171df Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 19 Jul 2023 13:43:17 +0200 +Subject: [PATCH] Replace ssl.wrap_socket() for tests + +The ssl.wrap_socket() function was deprecated in Python 3.7 and is +removed in Python 3.12. The ssl.SSLContext.wrap_socket() method +replaces it. + +Bump the required Python version for tests to 3.4 for +ssl.create_default_context(). + +[ghudson@mit.edu: changed minimum Python version] + +(cherry picked from commit 0ceab6c363e65fb21d3312a663f2b9b569ecc415) +--- + src/configure.ac | 9 ++++----- + src/util/wsgiref-kdcproxy.py | 4 +++- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/configure.ac b/src/configure.ac +index 2561e917a2..487f393146 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1157,10 +1157,9 @@ AC_SUBST(PKINIT) + # for lib/apputils + AC_REPLACE_FUNCS(daemon) + +-# For Python tests. Python version 3.2.4 is required as prior +-# versions do not accept string input to subprocess.Popen.communicate +-# when universal_newlines is set. +-PYTHON_MINVERSION=3.2.4 ++# For Python tests. Python version 3.4 is required for ++# ssl.create_default_context(). ++PYTHON_MINVERSION=3.4 + AC_SUBST(PYTHON_MINVERSION) + AC_CHECK_PROG(PYTHON,python3,python3) + if test x"$PYTHON" = x; then +@@ -1168,7 +1167,7 @@ if test x"$PYTHON" = x; then + fi + HAVE_PYTHON=no + if test x"$PYTHON" != x; then +- wantver="(sys.hexversion >= 0x30204F0)" ++ wantver="(sys.hexversion >= 0x30400F0)" + if "$PYTHON" -c "import sys; sys.exit(not $wantver and 1 or 0)"; then + HAVE_PYTHON=yes + fi +diff --git a/src/util/wsgiref-kdcproxy.py b/src/util/wsgiref-kdcproxy.py +index 58759696b6..d1d10d733c 100755 +--- a/src/util/wsgiref-kdcproxy.py ++++ b/src/util/wsgiref-kdcproxy.py +@@ -14,6 +14,8 @@ else: + pem = '*' + + server = make_server('localhost', port, kdcproxy.Application()) +-server.socket = ssl.wrap_socket(server.socket, certfile=pem, server_side=True) ++sslctx = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH) ++sslctx.load_cert_chain(certfile=pem) ++server.socket = sslctx.wrap_socket(server.socket, server_side=True) + os.write(sys.stdout.fileno(), b'proxy server ready\n') + server.serve_forever() +-- +2.45.1 + diff --git a/SOURCES/0017-Fix-unimportant-memory-leaks.patch b/SOURCES/0017-Fix-unimportant-memory-leaks.patch new file mode 100644 index 0000000..a41ef95 --- /dev/null +++ b/SOURCES/0017-Fix-unimportant-memory-leaks.patch @@ -0,0 +1,2316 @@ +From 0628ab09deb09b98c171316c0b9718914e18e9f4 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 13 Jul 2023 16:22:30 -0400 +Subject: [PATCH] Fix unimportant memory leaks + +Eliminate memory leaks detected through static analysis and manual +review. These leaks are unlikely to happen repeatedly in long-running +processes. + +[jrische@redhat.com: fixed many additional leaks] +[ghudson@mit.edu: fixed additional leaks; edited for style; removed +some unused ksu functions; rewrote commit message] + +(cherry picked from commit 6c5471176f5266564fbc8a7e02f03b4b042202f8) +--- + src/appl/gss-sample/gss-client.c | 367 ++++++++---------- + src/appl/gss-sample/gss-server.c | 3 +- + src/clients/klist/klist.c | 59 +-- + src/clients/ksu/authorization.c | 134 +++---- + src/clients/ksu/ccache.c | 283 +++++--------- + src/clients/ksu/heuristic.c | 128 +++--- + src/clients/ksu/krb_auth_su.c | 134 ++----- + src/clients/ksu/ksu.h | 6 - + src/clients/ksu/main.c | 3 +- + src/kadmin/cli/keytab.c | 6 +- + src/kadmin/ktutil/ktutil.c | 1 + + src/kprop/kpropd.c | 21 +- + src/lib/gssapi/krb5/export_cred.c | 4 +- + src/lib/gssapi/krb5/val_cred.c | 6 +- + src/lib/kadm5/srv/server_kdb.c | 7 +- + src/lib/krb5/ccache/cc_kcm.c | 4 + + src/lib/krb5/ccache/ccfns.c | 12 +- + src/lib/krb5/keytab/kt_file.c | 3 +- + src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 8 +- + 19 files changed, 517 insertions(+), 672 deletions(-) + +diff --git a/src/appl/gss-sample/gss-client.c b/src/appl/gss-sample/gss-client.c +index 0722ae196f..2cfcfc6cc5 100644 +--- a/src/appl/gss-sample/gss-client.c ++++ b/src/appl/gss-sample/gss-client.c +@@ -182,180 +182,148 @@ client_establish_context(int s, char *service_name, OM_uint32 gss_flags, + char *username, char *password, + gss_ctx_id_t *gss_context, OM_uint32 *ret_flags) + { +- if (auth_flag) { +- gss_buffer_desc send_tok, recv_tok, *token_ptr; +- gss_name_t target_name; +- OM_uint32 maj_stat, min_stat, init_sec_min_stat; +- int token_flags; +- gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; +- gss_name_t gss_username = GSS_C_NO_NAME; +- gss_OID_set_desc mechs, *mechsp = GSS_C_NO_OID_SET; +- +- if (spnego) { +- mechs.elements = &gss_spnego_mechanism_oid_desc; +- mechs.count = 1; +- mechsp = &mechs; +- } else if (oid != GSS_C_NO_OID) { +- mechs.elements = oid; +- mechs.count = 1; +- mechsp = &mechs; +- } else { +- mechs.elements = NULL; +- mechs.count = 0; +- } ++ int result = -1, st; ++ gss_buffer_desc send_tok, recv_tok, pwbuf, *token_ptr; ++ gss_name_t target_name = GSS_C_NO_NAME, gss_username = GSS_C_NO_NAME; ++ OM_uint32 maj_stat, min_stat, init_sec_min_stat; ++ int token_flags; ++ gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; ++ gss_OID_set_desc mechs, neg_mechs, *mechsp = GSS_C_NO_OID_SET; ++ ++ if (!auth_flag) ++ return send_token(s, TOKEN_NOOP, empty_token); ++ ++ if (spnego) { ++ mechs.elements = &gss_spnego_mechanism_oid_desc; ++ mechs.count = 1; ++ mechsp = &mechs; ++ } else if (oid != GSS_C_NO_OID) { ++ mechs.elements = oid; ++ mechs.count = 1; ++ mechsp = &mechs; ++ } else { ++ mechs.elements = NULL; ++ mechs.count = 0; ++ } + +- if (username != NULL) { +- send_tok.value = username; +- send_tok.length = strlen(username); ++ if (username != NULL) { ++ send_tok.value = username; ++ send_tok.length = strlen(username); + +- maj_stat = gss_import_name(&min_stat, &send_tok, +- (gss_OID) gss_nt_user_name, +- &gss_username); +- if (maj_stat != GSS_S_COMPLETE) { +- display_status("parsing client name", maj_stat, min_stat); +- return -1; +- } +- } +- +- if (password != NULL) { +- gss_buffer_desc pwbuf; +- +- pwbuf.value = password; +- pwbuf.length = strlen(password); +- +- maj_stat = gss_acquire_cred_with_password(&min_stat, +- gss_username, +- &pwbuf, 0, +- mechsp, GSS_C_INITIATE, +- &cred, NULL, NULL); +- } else if (gss_username != GSS_C_NO_NAME) { +- maj_stat = gss_acquire_cred(&min_stat, +- gss_username, 0, +- mechsp, GSS_C_INITIATE, +- &cred, NULL, NULL); +- } else +- maj_stat = GSS_S_COMPLETE; ++ maj_stat = gss_import_name(&min_stat, &send_tok, ++ (gss_OID) gss_nt_user_name, &gss_username); + if (maj_stat != GSS_S_COMPLETE) { +- display_status("acquiring creds", maj_stat, min_stat); +- gss_release_name(&min_stat, &gss_username); +- return -1; ++ display_status("parsing client name", maj_stat, min_stat); ++ goto cleanup; + } +- if (spnego && oid != GSS_C_NO_OID) { +- gss_OID_set_desc neg_mechs; +- +- neg_mechs.elements = oid; +- neg_mechs.count = 1; ++ } + +- maj_stat = gss_set_neg_mechs(&min_stat, cred, &neg_mechs); +- if (maj_stat != GSS_S_COMPLETE) { +- display_status("setting neg mechs", maj_stat, min_stat); +- gss_release_name(&min_stat, &gss_username); +- gss_release_cred(&min_stat, &cred); +- return -1; +- } +- } +- gss_release_name(&min_stat, &gss_username); +- +- /* +- * Import the name into target_name. Use send_tok to save +- * local variable space. +- */ +- send_tok.value = service_name; +- send_tok.length = strlen(service_name); +- maj_stat = gss_import_name(&min_stat, &send_tok, +- (gss_OID) gss_nt_service_name, +- &target_name); ++ if (password != NULL) { ++ pwbuf.value = password; ++ pwbuf.length = strlen(password); ++ ++ maj_stat = gss_acquire_cred_with_password(&min_stat, gss_username, ++ &pwbuf, 0, mechsp, ++ GSS_C_INITIATE, &cred, NULL, ++ NULL); ++ } else if (gss_username != GSS_C_NO_NAME) { ++ maj_stat = gss_acquire_cred(&min_stat, gss_username, 0, mechsp, ++ GSS_C_INITIATE, &cred, NULL, NULL); ++ } else { ++ maj_stat = GSS_S_COMPLETE; ++ } ++ if (maj_stat != GSS_S_COMPLETE) { ++ display_status("acquiring creds", maj_stat, min_stat); ++ goto cleanup; ++ } ++ if (spnego && oid != GSS_C_NO_OID) { ++ neg_mechs.elements = oid; ++ neg_mechs.count = 1; ++ maj_stat = gss_set_neg_mechs(&min_stat, cred, &neg_mechs); + if (maj_stat != GSS_S_COMPLETE) { +- display_status("parsing name", maj_stat, min_stat); +- return -1; ++ display_status("setting neg mechs", maj_stat, min_stat); ++ goto cleanup; + } ++ } + +- if (!v1_format) { +- if (send_token(s, TOKEN_NOOP | TOKEN_CONTEXT_NEXT, empty_token) < +- 0) { +- (void) gss_release_name(&min_stat, &target_name); +- return -1; +- } +- } ++ /* Import the name into target_name. Use send_tok to save local variable ++ * space. */ ++ send_tok.value = service_name; ++ send_tok.length = strlen(service_name); ++ maj_stat = gss_import_name(&min_stat, &send_tok, ++ (gss_OID) gss_nt_service_name, &target_name); ++ if (maj_stat != GSS_S_COMPLETE) { ++ display_status("parsing name", maj_stat, min_stat); ++ goto cleanup; ++ } + +- /* +- * Perform the context-establishement loop. +- * +- * On each pass through the loop, token_ptr points to the token +- * to send to the server (or GSS_C_NO_BUFFER on the first pass). +- * Every generated token is stored in send_tok which is then +- * transmitted to the server; every received token is stored in +- * recv_tok, which token_ptr is then set to, to be processed by +- * the next call to gss_init_sec_context. +- * +- * GSS-API guarantees that send_tok's length will be non-zero +- * if and only if the server is expecting another token from us, +- * and that gss_init_sec_context returns GSS_S_CONTINUE_NEEDED if +- * and only if the server has another token to send us. +- */ +- +- token_ptr = GSS_C_NO_BUFFER; +- *gss_context = GSS_C_NO_CONTEXT; +- +- do { +- maj_stat = gss_init_sec_context(&init_sec_min_stat, +- cred, gss_context, +- target_name, mechs.elements, +- gss_flags, 0, +- NULL, /* channel bindings */ +- token_ptr, NULL, /* mech type */ +- &send_tok, ret_flags, +- NULL); /* time_rec */ +- +- if (token_ptr != GSS_C_NO_BUFFER) +- free(recv_tok.value); +- +- if (send_tok.length != 0) { +- if (verbose) +- printf("Sending init_sec_context token (size=%d)...", +- (int) send_tok.length); +- if (send_token(s, v1_format ? 0 : TOKEN_CONTEXT, &send_tok) < +- 0) { +- (void) gss_release_buffer(&min_stat, &send_tok); +- (void) gss_release_name(&min_stat, &target_name); +- return -1; +- } ++ if (!v1_format) { ++ if (send_token(s, TOKEN_NOOP | TOKEN_CONTEXT_NEXT, empty_token) < 0) ++ goto cleanup; ++ } ++ ++ /* ++ * Perform the context-establishment loop. ++ * ++ * On each pass through the loop, token_ptr points to the token to send to ++ * the server (or GSS_C_NO_BUFFER on the first pass). Every generated ++ * token is stored in send_tok which is then transmitted to the server; ++ * every received token is stored in recv_tok, which token_ptr is then set ++ * to, to be processed by the next call to gss_init_sec_context. ++ * ++ * GSS-API guarantees that send_tok's length will be non-zero if and only ++ * if the server is expecting another token from us, and that ++ * gss_init_sec_context returns GSS_S_CONTINUE_NEEDED if and only if the ++ * server has another token to send us. ++ */ ++ ++ token_ptr = GSS_C_NO_BUFFER; ++ *gss_context = GSS_C_NO_CONTEXT; ++ ++ do { ++ maj_stat = gss_init_sec_context(&init_sec_min_stat, cred, gss_context, ++ target_name, mechs.elements, gss_flags, ++ 0, NULL, token_ptr, NULL, &send_tok, ++ ret_flags, NULL); ++ ++ if (token_ptr != GSS_C_NO_BUFFER) ++ free(recv_tok.value); ++ ++ if (send_tok.length > 0) { ++ if (verbose) { ++ printf("Sending init_sec_context token (size=%d)...", ++ (int) send_tok.length); + } ++ st = send_token(s, v1_format ? 0 : TOKEN_CONTEXT, &send_tok); + (void) gss_release_buffer(&min_stat, &send_tok); ++ if (st < 0) ++ goto cleanup; ++ } + +- if (maj_stat != GSS_S_COMPLETE +- && maj_stat != GSS_S_CONTINUE_NEEDED) { +- display_status("initializing context", maj_stat, +- init_sec_min_stat); +- (void) gss_release_name(&min_stat, &target_name); +- (void) gss_release_cred(&min_stat, &cred); +- if (*gss_context != GSS_C_NO_CONTEXT) +- gss_delete_sec_context(&min_stat, gss_context, +- GSS_C_NO_BUFFER); +- return -1; +- } ++ if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) { ++ display_status("initializing context", maj_stat, ++ init_sec_min_stat); ++ goto cleanup; ++ } + +- if (maj_stat == GSS_S_CONTINUE_NEEDED) { +- if (verbose) +- printf("continue needed..."); +- if (recv_token(s, &token_flags, &recv_tok) < 0) { +- (void) gss_release_name(&min_stat, &target_name); +- return -1; +- } +- token_ptr = &recv_tok; +- } ++ if (maj_stat == GSS_S_CONTINUE_NEEDED) { + if (verbose) +- printf("\n"); +- } while (maj_stat == GSS_S_CONTINUE_NEEDED); ++ printf("continue needed..."); ++ if (recv_token(s, &token_flags, &recv_tok) < 0) ++ goto cleanup; ++ token_ptr = &recv_tok; ++ } ++ if (verbose) ++ printf("\n"); ++ } while (maj_stat == GSS_S_CONTINUE_NEEDED); + +- (void) gss_release_cred(&min_stat, &cred); +- (void) gss_release_name(&min_stat, &target_name); +- } else { +- if (send_token(s, TOKEN_NOOP, empty_token) < 0) +- return -1; +- } ++ result = 0; + +- return 0; ++cleanup: ++ (void) gss_release_name(&min_stat, &gss_username); ++ (void) gss_release_cred(&min_stat, &cred); ++ (void) gss_release_name(&min_stat, &target_name); ++ return result; + } + + static void +@@ -436,11 +404,11 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name, + { + gss_ctx_id_t context = GSS_C_NO_CONTEXT; + gss_buffer_desc in_buf, out_buf; +- int s, state; ++ int s = -1, result = -1, state; + OM_uint32 ret_flags; + OM_uint32 maj_stat, min_stat; +- gss_name_t src_name, targ_name; +- gss_buffer_desc sname, tname; ++ gss_name_t src_name = GSS_C_NO_NAME, targ_name = GSS_C_NO_NAME; ++ gss_buffer_desc sname = GSS_C_EMPTY_BUFFER, tname = GSS_C_EMPTY_BUFFER; + OM_uint32 lifetime; + gss_OID mechanism, name_type; + int is_local; +@@ -454,14 +422,13 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name, + + /* Open connection */ + if ((s = connect_to_server(host, port)) < 0) +- return -1; ++ goto cleanup; + + /* Establish context */ + if (client_establish_context(s, service_name, gss_flags, auth_flag, + v1_format, oid, username, password, + &context, &ret_flags) < 0) { +- (void) closesocket(s); +- return -1; ++ goto cleanup; + } + + if (auth_flag && verbose) { +@@ -475,19 +442,19 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name, + &is_local, &is_open); + if (maj_stat != GSS_S_COMPLETE) { + display_status("inquiring context", maj_stat, min_stat); +- return -1; ++ goto cleanup; + } + + maj_stat = gss_display_name(&min_stat, src_name, &sname, &name_type); + if (maj_stat != GSS_S_COMPLETE) { + display_status("displaying source name", maj_stat, min_stat); +- return -1; ++ goto cleanup; + } + maj_stat = gss_display_name(&min_stat, targ_name, &tname, + (gss_OID *) NULL); + if (maj_stat != GSS_S_COMPLETE) { + display_status("displaying target name", maj_stat, min_stat); +- return -1; ++ goto cleanup; + } + printf("\"%.*s\" to \"%.*s\", lifetime %d, flags %x, %s, %s\n", + (int) sname.length, (char *) sname.value, +@@ -496,15 +463,10 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name, + (is_local) ? "locally initiated" : "remotely initiated", + (is_open) ? "open" : "closed"); + +- (void) gss_release_name(&min_stat, &src_name); +- (void) gss_release_name(&min_stat, &targ_name); +- (void) gss_release_buffer(&min_stat, &sname); +- (void) gss_release_buffer(&min_stat, &tname); +- + maj_stat = gss_oid_to_str(&min_stat, name_type, &oid_name); + if (maj_stat != GSS_S_COMPLETE) { + display_status("converting oid->string", maj_stat, min_stat); +- return -1; ++ goto cleanup; + } + printf("Name type of source name is %.*s.\n", + (int) oid_name.length, (char *) oid_name.value); +@@ -515,13 +477,13 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name, + mechanism, &mech_names); + if (maj_stat != GSS_S_COMPLETE) { + display_status("inquiring mech names", maj_stat, min_stat); +- return -1; ++ goto cleanup; + } + + maj_stat = gss_oid_to_str(&min_stat, mechanism, &oid_name); + if (maj_stat != GSS_S_COMPLETE) { + display_status("converting oid->string", maj_stat, min_stat); +- return -1; ++ goto cleanup; + } + printf("Mechanism %.*s supports %d names\n", + (int) oid_name.length, (char *) oid_name.value, +@@ -533,7 +495,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name, + &mech_names->elements[i], &oid_name); + if (maj_stat != GSS_S_COMPLETE) { + display_status("converting oid->string", maj_stat, min_stat); +- return -1; ++ goto cleanup; + } + printf(" %d: %.*s\n", (int) i, + (int) oid_name.length, (char *) oid_name.value); +@@ -558,10 +520,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name, + &in_buf, &state, &out_buf); + if (maj_stat != GSS_S_COMPLETE) { + display_status("wrapping message", maj_stat, min_stat); +- (void) closesocket(s); +- (void) gss_delete_sec_context(&min_stat, &context, +- GSS_C_NO_BUFFER); +- return -1; ++ goto cleanup; + } else if (encrypt_flag && !state) { + fprintf(stderr, "Warning! Message not encrypted.\n"); + } +@@ -575,22 +534,15 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name, + (wrap_flag ? TOKEN_WRAPPED : 0) | + (encrypt_flag ? TOKEN_ENCRYPTED : 0) | + (mic_flag ? TOKEN_SEND_MIC : 0))), +- &out_buf) < 0) { +- (void) closesocket(s); +- (void) gss_delete_sec_context(&min_stat, &context, +- GSS_C_NO_BUFFER); +- return -1; +- } ++ &out_buf) < 0) ++ goto cleanup; ++ + if (out_buf.value != in_buf.value) + (void) gss_release_buffer(&min_stat, &out_buf); + + /* Read signature block into out_buf */ +- if (recv_token(s, &token_flags, &out_buf) < 0) { +- (void) closesocket(s); +- (void) gss_delete_sec_context(&min_stat, &context, +- GSS_C_NO_BUFFER); +- return -1; +- } ++ if (recv_token(s, &token_flags, &out_buf) < 0) ++ goto cleanup; + + if (mic_flag) { + /* Verify signature block */ +@@ -598,10 +550,7 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name, + &out_buf, &qop_state); + if (maj_stat != GSS_S_COMPLETE) { + display_status("verifying signature", maj_stat, min_stat); +- (void) closesocket(s); +- (void) gss_delete_sec_context(&min_stat, &context, +- GSS_C_NO_BUFFER); +- return -1; ++ goto cleanup; + } + + if (verbose) +@@ -621,23 +570,17 @@ call_server(char *host, u_short port, gss_OID oid, char *service_name, + if (!v1_format) + (void) send_token(s, TOKEN_NOOP, empty_token); + +- if (auth_flag) { +- /* Delete context */ +- maj_stat = gss_delete_sec_context(&min_stat, &context, &out_buf); +- if (maj_stat != GSS_S_COMPLETE) { +- display_status("deleting context", maj_stat, min_stat); +- (void) closesocket(s); +- (void) gss_delete_sec_context(&min_stat, &context, +- GSS_C_NO_BUFFER); +- return -1; +- } +- +- (void) gss_release_buffer(&min_stat, &out_buf); +- } +- +- (void) closesocket(s); ++ result = 0; + +- return 0; ++cleanup: ++ (void) gss_release_name(&min_stat, &src_name); ++ (void) gss_release_name(&min_stat, &targ_name); ++ (void) gss_release_buffer(&min_stat, &sname); ++ (void) gss_release_buffer(&min_stat, &tname); ++ (void) gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER); ++ if (s >= 0) ++ (void) closesocket(s); ++ return result; + } + + static void +diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c +index 0e9c857e56..4ba864d9fb 100644 +--- a/src/appl/gss-sample/gss-server.c ++++ b/src/appl/gss-sample/gss-server.c +@@ -138,13 +138,12 @@ server_acquire_creds(char *service_name, gss_OID mech, + } + maj_stat = gss_acquire_cred(&min_stat, server_name, 0, mechs, GSS_C_ACCEPT, + server_creds, NULL, NULL); ++ (void) gss_release_name(&min_stat, &server_name); + if (maj_stat != GSS_S_COMPLETE) { + display_status("acquiring credentials", maj_stat, min_stat); + return -1; + } + +- (void) gss_release_name(&min_stat, &server_name); +- + return 0; + } + +diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c +index c797b1698f..b5ae96a843 100644 +--- a/src/clients/klist/klist.c ++++ b/src/clients/klist/klist.c +@@ -469,20 +469,21 @@ do_ccache() + static int + show_ccache(krb5_ccache cache) + { +- krb5_cc_cursor cur; ++ krb5_cc_cursor cur = NULL; + krb5_creds creds; +- krb5_principal princ; ++ krb5_principal princ = NULL; + krb5_error_code ret; ++ int status = 1; + + ret = krb5_cc_get_principal(context, cache, &princ); + if (ret) { + com_err(progname, ret, ""); +- return 1; ++ goto cleanup; + } + ret = krb5_unparse_name(context, princ, &defname); + if (ret) { + com_err(progname, ret, _("while unparsing principal name")); +- return 1; ++ goto cleanup; + } + + printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"), +@@ -498,27 +499,33 @@ show_ccache(krb5_ccache cache) + ret = krb5_cc_start_seq_get(context, cache, &cur); + if (ret) { + com_err(progname, ret, _("while starting to retrieve tickets")); +- return 1; ++ goto cleanup; + } + while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) { + if (show_config || !krb5_is_config_principal(context, creds.server)) + show_credential(&creds); + krb5_free_cred_contents(context, &creds); + } +- krb5_free_principal(context, princ); +- krb5_free_unparsed_name(context, defname); +- defname = NULL; + if (ret == KRB5_CC_END) { + ret = krb5_cc_end_seq_get(context, cache, &cur); ++ cur = NULL; + if (ret) { + com_err(progname, ret, _("while finishing ticket retrieval")); +- return 1; ++ goto cleanup; + } +- return 0; + } else { + com_err(progname, ret, _("while retrieving a ticket")); +- return 1; ++ goto cleanup; + } ++ ++ status = 0; ++ ++cleanup: ++ if (cur != NULL) ++ (void)krb5_cc_end_seq_get(context, cache, &cur); ++ krb5_free_principal(context, princ); ++ krb5_free_unparsed_name(context, defname); ++ return status; + } + + /* Return 0 if cache is accessible, present, and unexpired; return 1 if not. */ +@@ -526,15 +533,18 @@ static int + check_ccache(krb5_ccache cache) + { + krb5_error_code ret; +- krb5_cc_cursor cur; ++ krb5_cc_cursor cur = NULL; + krb5_creds creds; +- krb5_principal princ; +- krb5_boolean found_tgt, found_current_tgt, found_current_cred; ++ krb5_principal princ = NULL; ++ krb5_boolean found_tgt = FALSE, found_current_tgt = FALSE; ++ krb5_boolean found_current_cred = FALSE; + +- if (krb5_cc_get_principal(context, cache, &princ) != 0) +- return 1; +- if (krb5_cc_start_seq_get(context, cache, &cur) != 0) +- return 1; ++ ret = krb5_cc_get_principal(context, cache, &princ); ++ if (ret) ++ goto cleanup; ++ ret = krb5_cc_start_seq_get(context, cache, &cur); ++ if (ret) ++ goto cleanup; + found_tgt = found_current_tgt = found_current_cred = FALSE; + while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) { + if (is_local_tgt(creds.server, &princ->realm)) { +@@ -547,12 +557,17 @@ check_ccache(krb5_ccache cache) + } + krb5_free_cred_contents(context, &creds); + } +- krb5_free_principal(context, princ); + if (ret != KRB5_CC_END) +- return 1; +- if (krb5_cc_end_seq_get(context, cache, &cur) != 0) +- return 1; ++ goto cleanup; ++ ret = krb5_cc_end_seq_get(context, cache, &cur); ++ cur = NULL; + ++cleanup: ++ if (cur != NULL) ++ (void)krb5_cc_end_seq_get(context, cache, &cur); ++ krb5_free_principal(context, princ); ++ if (ret) ++ return 1; + /* If the cache contains at least one local TGT, require that it be + * current. Otherwise accept any current cred. */ + if (found_tgt) +diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c +index 17a8a8f2f0..1f2650c2ab 100644 +--- a/src/clients/ksu/authorization.c ++++ b/src/clients/ksu/authorization.c +@@ -28,7 +28,17 @@ + + #include "ksu.h" + +-static void auth_cleanup (FILE *, FILE *, char *); ++static void ++free_fcmd_list(char **list) ++{ ++ size_t i; ++ ++ if (list == NULL) ++ return; ++ for (i = 0; i < MAX_CMD && list[i] != NULL; i++) ++ free(list[i]); ++ free(list); ++} + + krb5_boolean + fowner(FILE *fp, uid_t uid) +@@ -52,10 +62,10 @@ fowner(FILE *fp, uid_t uid) + + /* + * Given a Kerberos principal "principal", and a local username "luser", +- * determine whether user is authorized to login according to the +- * authorization files ~luser/.k5login" and ~luser/.k5users. Returns TRUE +- * if authorized, FALSE if not authorized. +- * ++ * determine whether user is authorized to login according to the authorization ++ * files ~luser/.k5login" and ~luser/.k5users. Set *ok to TRUE if authorized, ++ * FALSE if not authorized. Return 0 if the authorization check succeeded ++ * (regardless of its result), non-zero if it encountered an error. + */ + + krb5_error_code +@@ -64,7 +74,7 @@ krb5_authorization(krb5_context context, krb5_principal principal, + char **out_fcmd) + { + struct passwd *pwd; +- char *princname; ++ char *princname = NULL; + int k5login_flag =0; + int k5users_flag =0; + krb5_boolean retbool =FALSE; +@@ -76,7 +86,7 @@ krb5_authorization(krb5_context context, krb5_principal principal, + + /* no account => no access */ + if ((pwd = getpwnam(luser)) == NULL) +- return 0; ++ goto cleanup; + + retval = krb5_unparse_name(context, principal, &princname); + if (retval) +@@ -93,22 +103,19 @@ krb5_authorization(krb5_context context, krb5_principal principal, + + /* k5login and k5users must be owned by target user or root */ + if (!k5login_flag){ +- if ((login_fp = fopen(k5login_path, "r")) == NULL) +- return 0; +- if ( fowner(login_fp, pwd->pw_uid) == FALSE) { +- fclose(login_fp); +- return 0; +- } ++ login_fp = fopen(k5login_path, "r"); ++ if (login_fp == NULL) ++ goto cleanup; ++ if (fowner(login_fp, pwd->pw_uid) == FALSE) ++ goto cleanup; + } + + if (!k5users_flag){ +- if ((users_fp = fopen(k5users_path, "r")) == NULL) { +- return 0; +- } +- if ( fowner(users_fp, pwd->pw_uid) == FALSE){ +- fclose(users_fp); +- return 0; +- } ++ users_fp = fopen(k5users_path, "r"); ++ if (users_fp == NULL) ++ goto cleanup; ++ if (fowner(users_fp, pwd->pw_uid) == FALSE) ++ goto cleanup; + } + + if (auth_debug){ +@@ -127,10 +134,8 @@ krb5_authorization(krb5_context context, krb5_principal principal, + princname); + + retval = k5login_lookup(login_fp, princname, &retbool); +- if (retval) { +- auth_cleanup(users_fp, login_fp, princname); +- return retval; +- } ++ if (retval) ++ goto cleanup; + if (retbool) { + if (cmd) + *out_fcmd = xstrdup(cmd); +@@ -140,10 +145,8 @@ krb5_authorization(krb5_context context, krb5_principal principal, + if ((!k5users_flag) && (retbool == FALSE) ){ + retval = k5users_lookup (users_fp, princname, + cmd, &retbool, out_fcmd); +- if(retval) { +- auth_cleanup(users_fp, login_fp, princname); +- return retval; +- } ++ if (retval) ++ goto cleanup; + } + + if (k5login_flag && k5users_flag){ +@@ -159,8 +162,14 @@ krb5_authorization(krb5_context context, krb5_principal principal, + } + + *ok =retbool; +- auth_cleanup(users_fp, login_fp, princname); +- return 0; ++ ++cleanup: ++ if (users_fp != NULL) ++ fclose(users_fp); ++ if (login_fp != NULL) ++ fclose(login_fp); ++ free(princname); ++ return retval; + } + + /*********************************************************** +@@ -320,10 +329,11 @@ krb5_boolean + fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err) + { + char * err; +- char ** tmp_fcmd; ++ char ** tmp_fcmd = NULL; + char * path_ptr, *path; + char * lp, * tc; + int i=0; ++ krb5_boolean ok = FALSE; + + tmp_fcmd = (char **) xcalloc (MAX_CMD, sizeof(char *)); + +@@ -331,7 +341,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err) + tmp_fcmd[0] = xstrdup(fcmd); + tmp_fcmd[1] = NULL; + *out_fcmd = tmp_fcmd; +- return TRUE; ++ tmp_fcmd = NULL; + }else{ + /* must be either full path or just the cmd name */ + if (strchr(fcmd, '/')){ +@@ -339,7 +349,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err) + "either full path or just the cmd name\n"), + fcmd, KRB5_USERS_NAME); + *out_err = err; +- return FALSE; ++ goto cleanup; + } + + #ifndef CMD_PATH +@@ -347,7 +357,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err) + "the cmd name, CMD_PATH must be defined \n"), + fcmd, KRB5_USERS_NAME, fcmd); + *out_err = err; +- return FALSE; ++ goto cleanup; + #else + + path = xstrdup (CMD_PATH); +@@ -361,7 +371,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err) + asprintf(&err, _("Error: bad entry - %s in %s file, CMD_PATH " + "contains no paths \n"), fcmd, KRB5_USERS_NAME); + *out_err = err; +- return FALSE; ++ goto cleanup; + } + + i=0; +@@ -370,7 +380,7 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err) + asprintf(&err, _("Error: bad path %s in CMD_PATH for %s must " + "start with '/' \n"), tc, KRB5_USERS_NAME ); + *out_err = err; +- return FALSE; ++ goto cleanup; + } + + tmp_fcmd[i] = xasprintf("%s/%s", tc, fcmd); +@@ -381,10 +391,15 @@ fcmd_resolve(char *fcmd, char ***out_fcmd, char **out_err) + + tmp_fcmd[i] = NULL; + *out_fcmd = tmp_fcmd; +- return TRUE; +- ++ tmp_fcmd = NULL; + #endif /* CMD_PATH */ + } ++ ++ ok = TRUE; ++ ++cleanup: ++ free_fcmd_list(tmp_fcmd); ++ return ok; + } + + /******************************************** +@@ -503,41 +518,42 @@ int + match_commands(char *fcmd, char *cmd, krb5_boolean *match, + char **cmd_out, char **err_out) + { +- char ** fcmd_arr; ++ char ** fcmd_arr = NULL; + char * err; + char * cmd_temp; ++ int result = 1; + + if(fcmd_resolve(fcmd, &fcmd_arr, &err )== FALSE ){ + *err_out = err; +- return 1; ++ goto cleanup; + } + + if (cmd_single( cmd ) == TRUE){ + if (!cmd_arr_cmp_postfix(fcmd_arr, cmd)){ /* found */ +- +- if(find_first_cmd_that_exists( fcmd_arr,&cmd_temp,&err)== TRUE){ +- *match = TRUE; +- *cmd_out = cmd_temp; +- return 0; +- }else{ ++ if (!find_first_cmd_that_exists(fcmd_arr, &cmd_temp, &err)) { + *err_out = err; +- return 1; ++ goto cleanup; + } +- }else{ ++ ++ *match = TRUE; ++ *cmd_out = cmd_temp; ++ } else { + *match = FALSE; +- return 0; + } + }else{ + if (!cmd_arr_cmp(fcmd_arr, cmd)){ /* found */ + *match = TRUE; + *cmd_out = xstrdup(cmd); +- return 0; + } else{ + *match = FALSE; +- return 0; + } + } + ++ result = 0; ++ ++cleanup: ++ free_fcmd_list(fcmd_arr); ++ return result; + } + + /********************************************************* +@@ -563,10 +579,7 @@ get_line(FILE *fp, char **out_line) + } + else { + chunk_count ++; +- if(!( line = (char *) realloc( line, +- chunk_count * sizeof(char) * BUFSIZ))){ +- return ENOMEM; +- } ++ line = xrealloc(line, chunk_count * BUFSIZ); + + line_ptr = line + (BUFSIZ -1) *( chunk_count -1) ; + } +@@ -652,17 +665,6 @@ get_next_token (char **lnext) + return out_ptr; + } + +-static void +-auth_cleanup(FILE *users_fp, FILE *login_fp, char *princname) +-{ +- +- free (princname); +- if (users_fp) +- fclose(users_fp); +- if (login_fp) +- fclose(login_fp); +-} +- + void + init_auth_names(char *pw_dir) + { +diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c +index cca9ce2dfc..76cb1d6aa4 100644 +--- a/src/clients/ksu/ccache.c ++++ b/src/clients/ksu/ccache.c +@@ -40,6 +40,18 @@ copies the default cache into the secondary cache, + + ************************************************************************/ + ++static void ++free_creds_list(krb5_context context, krb5_creds **list) ++{ ++ size_t i; ++ ++ if (list == NULL) ++ return; ++ for (i = 0; list[i]; i++) ++ krb5_free_creds(context, list[i]); ++ free(list); ++} ++ + void show_credential(krb5_context, krb5_creds *, krb5_ccache); + + /* modifies only the cc_other, the algorithm may look a bit funny, +@@ -53,20 +65,19 @@ krb5_ccache_copy(krb5_context context, krb5_ccache cc_def, + krb5_boolean restrict_creds, krb5_principal primary_principal, + krb5_boolean *stored) + { +- int i=0; + krb5_error_code retval=0; + krb5_creds ** cc_def_creds_arr = NULL; + krb5_creds ** cc_other_creds_arr = NULL; + + if (ks_ccache_is_initialized(context, cc_def)) { +- if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ +- return retval; +- } ++ retval = krb5_get_nonexp_tkts(context, cc_def, &cc_def_creds_arr); ++ if (retval) ++ goto cleanup; + } + + retval = krb5_cc_initialize(context, cc_target, target_principal); + if (retval) +- return retval; ++ goto cleanup; + + if (restrict_creds) { + retval = krb5_store_some_creds(context, cc_target, cc_def_creds_arr, +@@ -79,22 +90,9 @@ krb5_ccache_copy(krb5_context context, krb5_ccache cc_def, + cc_other_creds_arr); + } + +- if (cc_def_creds_arr){ +- while (cc_def_creds_arr[i]){ +- krb5_free_creds(context, cc_def_creds_arr[i]); +- i++; +- } +- } +- +- i=0; +- +- if(cc_other_creds_arr){ +- while (cc_other_creds_arr[i]){ +- krb5_free_creds(context, cc_other_creds_arr[i]); +- i++; +- } +- } +- ++cleanup: ++ free_creds_list(context, cc_def_creds_arr); ++ free_creds_list(context, cc_other_creds_arr); + return retval; + } + +@@ -184,32 +182,29 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc, + { + + krb5_creds creds, temp_tktq, temp_tkt; +- krb5_creds **temp_creds; ++ krb5_creds **temp_creds = NULL; + krb5_error_code retval=0; + krb5_cc_cursor cur; + int count = 0; + int chunk_count = 1; + +- if ( ! ( temp_creds = (krb5_creds **) malloc( CHUNK * sizeof(krb5_creds *)))){ +- return ENOMEM; +- } +- +- ++ temp_creds = xcalloc(CHUNK, sizeof(*temp_creds)); + memset(&temp_tktq, 0, sizeof(temp_tktq)); + memset(&temp_tkt, 0, sizeof(temp_tkt)); + memset(&creds, 0, sizeof(creds)); + + /* initialize the cursor */ +- if ((retval = krb5_cc_start_seq_get(context, cc, &cur))) { +- return retval; +- } ++ retval = krb5_cc_start_seq_get(context, cc, &cur); ++ if (retval) ++ goto cleanup; + + while (!(retval = krb5_cc_next_cred(context, cc, &cur, &creds))){ + + if (!krb5_is_config_principal(context, creds.server) && + (retval = krb5_check_exp(context, creds.times))){ ++ krb5_free_cred_contents(context, &creds); + if (retval != KRB5KRB_AP_ERR_TKT_EXPIRED){ +- return retval; ++ goto cleanup; + } + if (auth_debug){ + fprintf(stderr,"krb5_ccache_copy: CREDS EXPIRED:\n"); +@@ -219,19 +214,19 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc, + } + } + else { /* these credentials didn't expire */ +- +- if ((retval = krb5_copy_creds(context, &creds, +- &temp_creds[count]))){ +- return retval; +- } ++ retval = krb5_copy_creds(context, &creds, &temp_creds[count]); ++ krb5_free_cred_contents(context, &creds); ++ temp_creds[count+1] = NULL; ++ if (retval) ++ goto cleanup; + count ++; + + if (count == (chunk_count * CHUNK -1)){ + chunk_count ++; +- if (!(temp_creds = (krb5_creds **) realloc(temp_creds, +- chunk_count * CHUNK * sizeof(krb5_creds *)))){ +- return ENOMEM; +- } ++ ++ temp_creds = xrealloc(temp_creds, ++ chunk_count * CHUNK * ++ sizeof(*temp_creds)); + } + } + +@@ -239,13 +234,15 @@ krb5_get_nonexp_tkts(krb5_context context, krb5_ccache cc, + + temp_creds[count] = NULL; + *creds_array = temp_creds; ++ temp_creds = NULL; + + if (retval == KRB5_CC_END) { + retval = krb5_cc_end_seq_get(context, cc, &cur); + } + ++cleanup: ++ free_creds_list(context, temp_creds); + return retval; +- + } + + krb5_error_code +@@ -315,122 +312,33 @@ printtime(krb5_timestamp ts) + printf("%s", fmtbuf); + } + +- +-krb5_error_code +-krb5_get_login_princ(const char *luser, char ***princ_list) +-{ +- struct stat sbuf; +- struct passwd *pwd; +- char pbuf[MAXPATHLEN]; +- FILE *fp; +- char * linebuf; +- char *newline; +- int gobble, result; +- char ** buf_out; +- struct stat st_temp; +- int count = 0, chunk_count = 1; +- +- /* no account => no access */ +- +- if ((pwd = getpwnam(luser)) == NULL) { +- return 0; +- } +- result = snprintf(pbuf, sizeof(pbuf), "%s/.k5login", pwd->pw_dir); +- if (SNPRINTF_OVERFLOW(result, sizeof(pbuf))) { +- fprintf(stderr, _("home directory path for %s too long\n"), luser); +- exit (1); +- } +- +- if (stat(pbuf, &st_temp)) { /* not accessible */ +- return 0; +- } +- +- +- /* open ~/.k5login */ +- if ((fp = fopen(pbuf, "r")) == NULL) { +- return 0; +- } +- /* +- * For security reasons, the .k5login file must be owned either by +- * the user himself, or by root. Otherwise, don't grant access. +- */ +- if (fstat(fileno(fp), &sbuf)) { +- fclose(fp); +- return 0; +- } +- if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) { +- fclose(fp); +- return 0; +- } +- +- /* check each line */ +- +- +- if( !(linebuf = (char *) calloc (BUFSIZ, sizeof(char)))) return ENOMEM; +- +- if (!(buf_out = (char **) malloc( CHUNK * sizeof(char *)))) return ENOMEM; +- +- while ( fgets(linebuf, BUFSIZ, fp) != NULL) { +- /* null-terminate the input string */ +- linebuf[BUFSIZ-1] = '\0'; +- newline = NULL; +- /* nuke the newline if it exists */ +- if ((newline = strchr(linebuf, '\n'))) +- *newline = '\0'; +- +- buf_out[count] = linebuf; +- count ++; +- +- if (count == (chunk_count * CHUNK -1)){ +- chunk_count ++; +- if (!(buf_out = (char **) realloc(buf_out, +- chunk_count * CHUNK * sizeof(char *)))){ +- return ENOMEM; +- } +- } +- +- /* clean up the rest of the line if necessary */ +- if (!newline) +- while (((gobble = getc(fp)) != EOF) && gobble != '\n'); +- +- if( !(linebuf = (char *) calloc (BUFSIZ, sizeof(char)))) return ENOMEM; +- } +- +- buf_out[count] = NULL; +- *princ_list = buf_out; +- fclose(fp); +- return 0; +-} +- + void + show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc) + { + krb5_error_code retval; +- char *name, *sname, *flags; ++ char *name = NULL, *sname = NULL, *defname = NULL, *flags; + int first = 1; +- krb5_principal princ; +- char * defname; ++ krb5_principal princ = NULL; + int show_flags =1; + + retval = krb5_unparse_name(context, cred->client, &name); + if (retval) { + com_err(prog_name, retval, _("while unparsing client name")); +- return; ++ goto cleanup; + } + retval = krb5_unparse_name(context, cred->server, &sname); + if (retval) { + com_err(prog_name, retval, _("while unparsing server name")); +- free(name); +- return; ++ goto cleanup; + } + + if ((retval = krb5_cc_get_principal(context, cc, &princ))) { + com_err(prog_name, retval, _("while retrieving principal name")); +- return; ++ goto cleanup; + } + if ((retval = krb5_unparse_name(context, princ, &defname))) { + com_err(prog_name, retval, _("while unparsing principal name")); +- return; ++ goto cleanup; + } + + if (!cred->times.starttime) +@@ -468,8 +376,12 @@ show_credential(krb5_context context, krb5_creds *cred, krb5_ccache cc) + } + } + putchar('\n'); ++ ++cleanup: + free(name); + free(sname); ++ free(defname); ++ krb5_free_principal(context, princ); + } + + /* Create a random string suitable for a filename extension. */ +@@ -501,37 +413,26 @@ krb5_ccache_overwrite(krb5_context context, krb5_ccache ccs, krb5_ccache cct, + krb5_principal primary_principal) + { + krb5_error_code retval=0; +- krb5_principal temp_principal; ++ krb5_principal defprinc = NULL, princ; + krb5_creds ** ccs_creds_arr = NULL; +- int i=0; + + if (ks_ccache_is_initialized(context, ccs)) { +- if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){ +- return retval; +- } ++ retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr); ++ if (retval) ++ goto cleanup; + } + +- if (ks_ccache_is_initialized(context, cct)) { +- if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){ +- return retval; +- } +- }else{ +- temp_principal = primary_principal; +- } +- +- if ((retval = krb5_cc_initialize(context, cct, temp_principal))){ +- return retval; +- } ++ retval = krb5_cc_get_principal(context, cct, &defprinc); ++ princ = (retval == 0) ? defprinc : primary_principal; ++ retval = krb5_cc_initialize(context, cct, princ); ++ if (retval) ++ goto cleanup; + + retval = krb5_store_all_creds(context, cct, ccs_creds_arr, NULL); + +- if (ccs_creds_arr){ +- while (ccs_creds_arr[i]){ +- krb5_free_creds(context, ccs_creds_arr[i]); +- i++; +- } +- } +- ++cleanup: ++ free_creds_list(context, ccs_creds_arr); ++ krb5_free_principal(context, defprinc); + return retval; + } + +@@ -585,45 +486,40 @@ krb5_error_code + krb5_ccache_filter(krb5_context context, krb5_ccache cc, krb5_principal prst) + { + +- int i=0; + krb5_error_code retval=0; +- krb5_principal temp_principal; ++ krb5_principal temp_principal = NULL; + krb5_creds ** cc_creds_arr = NULL; + const char * cc_name; + krb5_boolean stored; + +- cc_name = krb5_cc_get_name(context, cc); ++ if (!ks_ccache_is_initialized(context, cc)) ++ return 0; + +- if (ks_ccache_is_initialized(context, cc)) { +- if (auth_debug) { +- fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name); +- } ++ if (auth_debug) { ++ cc_name = krb5_cc_get_name(context, cc); ++ fprintf(stderr, "putting cache %s through a filter for -z option\n", ++ cc_name); ++ } + +- if ((retval = krb5_get_nonexp_tkts(context, cc, &cc_creds_arr))){ +- return retval; +- } ++ retval = krb5_get_nonexp_tkts(context, cc, &cc_creds_arr); ++ if (retval) ++ goto cleanup; + +- if ((retval = krb5_cc_get_principal(context, cc, &temp_principal))){ +- return retval; +- } ++ retval = krb5_cc_get_principal(context, cc, &temp_principal); ++ if (retval) ++ goto cleanup; + +- if ((retval = krb5_cc_initialize(context, cc, temp_principal))){ +- return retval; +- } ++ retval = krb5_cc_initialize(context, cc, temp_principal); ++ if (retval) ++ goto cleanup; + +- if ((retval = krb5_store_some_creds(context, cc, cc_creds_arr, +- NULL, prst, &stored))){ +- return retval; +- } ++ retval = krb5_store_some_creds(context, cc, cc_creds_arr, NULL, prst, ++ &stored); + +- if (cc_creds_arr){ +- while (cc_creds_arr[i]){ +- krb5_free_creds(context, cc_creds_arr[i]); +- i++; +- } +- } +- } +- return 0; ++cleanup: ++ free_creds_list(context, cc_creds_arr); ++ krb5_free_principal(context, temp_principal); ++ return retval; + } + + krb5_boolean +@@ -654,17 +550,20 @@ krb5_error_code + krb5_find_princ_in_cache(krb5_context context, krb5_ccache cc, + krb5_principal princ, krb5_boolean *found) + { +- krb5_error_code retval; ++ krb5_error_code retval = 0; + krb5_creds ** creds_list = NULL; + + if (ks_ccache_is_initialized(context, cc)) { +- if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){ +- return retval; +- } ++ retval = krb5_get_nonexp_tkts(context, cc, &creds_list); ++ if (retval) ++ goto cleanup; + } + + *found = krb5_find_princ_in_cred_list(context, creds_list, princ); +- return 0; ++ ++cleanup: ++ free_creds_list(context, creds_list); ++ return retval; + } + + krb5_boolean +diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c +index e906de8ef0..6ed94eb887 100644 +--- a/src/clients/ksu/heuristic.c ++++ b/src/clients/ksu/heuristic.c +@@ -149,28 +149,31 @@ filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list) + + *k5users_filt_list = NULL; + +- if (! k5users_list){ ++ if (k5users_list == NULL) + return 0; +- } + + while(k5users_list[i]){ ++ free(out_cmd); ++ out_cmd = NULL; + + retval= k5users_lookup(fp, k5users_list[i], cmd, &found, &out_cmd); + if (retval) +- return retval; ++ goto cleanup; + + if (found == FALSE){ + free (k5users_list[i]); + k5users_list[i] = NULL; +- if (out_cmd) gb_err = out_cmd; ++ if (out_cmd) { ++ gb_err = out_cmd; ++ out_cmd = NULL; ++ } + } else + found_count ++; + + i++; + } + +- if (! (temp_filt_list = (char **) calloc(found_count +1, sizeof (char*)))) +- return ENOMEM; ++ temp_filt_list = xcalloc(found_count + 1, sizeof(*temp_filt_list)); + + for(j= 0, k=0; j < i; j++ ) { + if (k5users_list[j]){ +@@ -184,7 +187,10 @@ filter(FILE *fp, char *cmd, char **k5users_list, char ***k5users_filt_list) + free (k5users_list); + + *k5users_filt_list = temp_filt_list; +- return 0; ++ ++cleanup: ++ free(out_cmd); ++ return retval; + } + + krb5_error_code +@@ -318,7 +324,7 @@ get_closest_principal(krb5_context context, char **plist, + + retval = krb5_parse_name(context, plist[i], &temp_client); + if (retval) +- return retval; ++ goto cleanup; + + pnelem = krb5_princ_size(context, temp_client); + +@@ -346,6 +352,7 @@ get_closest_principal(krb5_context context, char **plist, + if(best_client){ + if(krb5_princ_size(context, best_client) > + krb5_princ_size(context, temp_client)){ ++ krb5_free_principal(context, best_client); + best_client = temp_client; + } + }else +@@ -358,9 +365,12 @@ get_closest_principal(krb5_context context, char **plist, + if (best_client) { + *found = TRUE; + *client = best_client; ++ best_client = NULL; + } + +- return 0; ++cleanup: ++ krb5_free_principal(context, best_client); ++ return retval; + } + + /**************************************************************** +@@ -471,6 +481,7 @@ find_princ_in_list(krb5_context context, krb5_principal princ, char **plist, + i++; + } + ++ free(princname); + return 0; + + } +@@ -498,11 +509,9 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid, + { + + princ_info princ_trials[10]; +- krb5_principal cc_def_princ = NULL; +- krb5_principal temp_client; +- krb5_principal target_client; +- krb5_principal source_client; +- krb5_principal end_server; ++ krb5_principal cc_def_princ = NULL, temp_client = NULL; ++ krb5_principal target_client = NULL, source_client = NULL; ++ krb5_principal end_server = NULL; + krb5_error_code retval; + char ** aplist =NULL; + krb5_boolean found = FALSE; +@@ -519,54 +528,59 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid, + if (ks_ccache_is_initialized(context, cc_source)) { + retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); + if (retval) +- return retval; ++ goto cleanup; + } + + retval=krb5_parse_name(context, target_user, &target_client); + if (retval) +- return retval; ++ goto cleanup; + + retval=krb5_parse_name(context, source_user, &source_client); + if (retval) +- return retval; ++ goto cleanup; + +- if (source_uid == 0){ +- if (target_uid != 0) +- *client = target_client; /* this will be used to restrict +- the cache copty */ +- else { +- if(cc_def_princ) +- *client = cc_def_princ; +- else +- *client = target_client; ++ if (source_uid == 0) { ++ if (target_uid != 0) { ++ /* This will be used to restrict the cache copy. */ ++ *client = target_client; ++ target_client = NULL; ++ } else if (cc_def_princ != NULL) { ++ *client = cc_def_princ; ++ cc_def_princ = NULL; ++ } else { ++ *client = target_client; ++ target_client = NULL; + } +- + if (auth_debug) + printf(" GET_best_princ_for_target: via source_uid == 0\n"); +- +- return 0; ++ goto cleanup; + } + + /* from here on, the code is for source_uid != 0 */ + + if (source_uid && (source_uid == target_uid)){ +- if(cc_def_princ) ++ if (cc_def_princ != NULL) { + *client = cc_def_princ; +- else ++ cc_def_princ = NULL; ++ } else { + *client = target_client; ++ target_client = NULL; ++ } + if (auth_debug) + printf("GET_best_princ_for_target: via source_uid == target_uid\n"); +- return 0; ++ goto cleanup; + } + + /* Become root, then target for looking at .k5login.*/ + if (krb5_seteuid(0) || krb5_seteuid(target_uid) ) { +- return errno; ++ retval = errno; ++ goto cleanup; + } + + /* if .k5users and .k5login do not exist */ + if (stat(k5login_path, &tb) && stat(k5users_path, &tb) ){ + *client = target_client; ++ target_client = NULL; + + if (cmd) + *path_out = NOT_AUTHORIZED; +@@ -574,26 +588,25 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid, + if (auth_debug) + printf(" GET_best_princ_for_target: via no auth files path\n"); + +- return 0; ++ goto cleanup; + }else{ + retval = get_authorized_princ_names(target_user, cmd, &aplist); + if (retval) +- return retval; ++ goto cleanup; + + /* .k5users or .k5login exist, but no authorization */ + if ((!aplist) || (!aplist[0])) { + *path_out = NOT_AUTHORIZED; + if (auth_debug) + printf("GET_best_princ_for_target: via empty auth files path\n"); +- return 0; ++ goto cleanup; + } + } + + retval = krb5_sname_to_principal(context, hostname, NULL, + KRB5_NT_SRV_HST, &end_server); + if (retval) +- return retval; +- ++ goto cleanup; + + /* first see if default principal of the source cache + * can get us in, then the target_user@realm, then the +@@ -616,7 +629,7 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid, + retval= find_princ_in_list(context, princ_trials[i].p, aplist, + &found); + if (retval) +- return retval; ++ goto cleanup; + + if (found == TRUE){ + princ_trials[i].found = TRUE; +@@ -625,12 +638,13 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid, + princ_trials[i].p, + end_server, &found); + if (retval) +- return retval; ++ goto cleanup; + if (found == TRUE){ +- *client = princ_trials[i].p; ++ retval = krb5_copy_principal(context, princ_trials[i].p, ++ client); + if (auth_debug) + printf("GET_best_princ_for_target: via ticket file, choice #%d\n", i); +- return 0; ++ goto cleanup; + } + } + } +@@ -643,21 +657,23 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid, + while (aplist[i]){ + retval = krb5_parse_name(context, aplist[i], &temp_client); + if (retval) +- return retval; ++ goto cleanup; + + retval = find_either_ticket (context, cc_source, temp_client, + end_server, &found); + if (retval) +- return retval; ++ goto cleanup; + + if (found == TRUE){ + if (auth_debug) + printf("GET_best_princ_for_target: via ticket file, choice: any ok ticket \n" ); + *client = temp_client; +- return 0; ++ temp_client = NULL; ++ goto cleanup; + } + + krb5_free_principal(context, temp_client); ++ temp_client = NULL; + + i++; + } +@@ -668,11 +684,11 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid, + + for (i=0; i < count; i ++){ + if (princ_trials[i].found == TRUE){ +- *client = princ_trials[i].p; ++ retval = krb5_copy_principal(context, princ_trials[i].p, client); + + if (auth_debug) + printf("GET_best_princ_for_target: via prompt passwd list choice #%d \n",i); +- return 0; ++ goto cleanup; + } + } + +@@ -682,7 +698,7 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid, + retval=krb5_copy_principal(context, princ_trials[i].p, + &temp_client); + if(retval) +- return retval; ++ goto cleanup; + + /* get the client name that is the closest + to the three princ in trials */ +@@ -690,15 +706,15 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid, + retval=get_closest_principal(context, aplist, &temp_client, + &found); + if(retval) +- return retval; ++ goto cleanup; + + if (found == TRUE){ + *client = temp_client; ++ temp_client = NULL; + if (auth_debug) + printf("GET_best_princ_for_target: via prompt passwd list choice: approximation of princ in trials # %d \n",i); +- return 0; ++ goto cleanup; + } +- krb5_free_principal(context, temp_client); + } + } + +@@ -709,5 +725,13 @@ get_best_princ_for_target(krb5_context context, uid_t source_uid, + printf( "GET_best_princ_for_target: out of luck, can't get appropriate default principal\n"); + + *path_out = NOT_AUTHORIZED; +- return 0; ++ retval = 0; ++ ++cleanup: ++ krb5_free_principal(context, cc_def_princ); ++ krb5_free_principal(context, target_client); ++ krb5_free_principal(context, source_client); ++ krb5_free_principal(context, temp_client); ++ krb5_free_principal(context, end_server); ++ return retval; + } +diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c +index db10251f95..68cfe6b0ed 100644 +--- a/src/clients/ksu/krb_auth_su.c ++++ b/src/clients/ksu/krb_auth_su.c +@@ -37,33 +37,31 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname, + char *target_user, krb5_ccache cc, int *path_passwd, + uid_t target_uid) + { +- krb5_principal client; ++ krb5_principal client = NULL; + krb5_verify_init_creds_opt vfy_opts; +- krb5_creds tgt, tgtq; ++ krb5_creds tgt = { 0 }, tgtq = { 0 }; + krb5_error_code retval =0; + int got_it = 0; + krb5_boolean zero_password; ++ krb5_boolean ok = FALSE; + + *path_passwd = 0; +- memset(&tgtq, 0, sizeof(tgtq)); +- memset(&tgt, 0, sizeof(tgt)); + + if ((retval= krb5_copy_principal(context, client_pname, &client))){ + com_err(prog_name, retval, _("while copying client principal")); +- return (FALSE) ; ++ goto cleanup; + } + + if ((retval= krb5_copy_principal(context, client, &tgtq.client))){ + com_err(prog_name, retval, _("while copying client principal")); +- return (FALSE) ; ++ goto cleanup; + } + + if ((retval = ksu_tgtname(context, krb5_princ_realm(context, client), + krb5_princ_realm(context, client), + &tgtq.server))){ + com_err(prog_name, retval, _("while creating tgt for local realm")); +- krb5_free_principal(context, client); +- return (FALSE) ; ++ goto cleanup; + } + + if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); } +@@ -77,7 +75,7 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname, + if ((retval != KRB5_CC_NOTFOUND) && + (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){ + com_err(prog_name, retval, _("while retrieving creds from cache")); +- return (FALSE) ; ++ goto cleanup; + } + } else{ + got_it = 1; +@@ -88,7 +86,7 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname, + #ifdef GET_TGT_VIA_PASSWD + if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { + com_err("ksu", errno, _("while switching to target uid")); +- return FALSE; ++ goto cleanup; + } + + +@@ -102,19 +100,19 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname, + &tgt) == FALSE) { + krb5_seteuid(0); + +- return FALSE; ++ goto cleanup; + } + *path_passwd = 1; + if (krb5_seteuid(0)) { + com_err("ksu", errno, _("while reclaiming root uid")); +- return FALSE; ++ goto cleanup; + } + + #else + plain_dump_principal (context, client); + fprintf(stderr, + _("does not have any appropriate tickets in the cache.\n")); +- return FALSE; ++ goto cleanup; + + #endif /* GET_TGT_VIA_PASSWD */ + +@@ -126,10 +124,16 @@ krb5_auth_check(krb5_context context, krb5_principal client_pname, + &vfy_opts); + if (retval) { + com_err(prog_name, retval, _("while verifying ticket for server")); +- return (FALSE); ++ goto cleanup; + } + +- return (TRUE); ++ ok = TRUE; ++ ++cleanup: ++ krb5_free_principal(context, client); ++ krb5_free_cred_contents(context, &tgt); ++ krb5_free_cred_contents(context, &tgtq); ++ return ok; + } + + krb5_boolean +@@ -137,11 +141,12 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client, + krb5_get_init_creds_opt *options, + krb5_boolean *zero_password, krb5_creds *creds_out) + { ++ krb5_boolean ok = FALSE; + krb5_error_code code; +- krb5_creds creds; ++ krb5_creds creds = { 0 }; + krb5_timestamp now; + unsigned int pwsize; +- char password[255], *client_name, prompt[255]; ++ char password[255], prompt[255], *client_name = NULL; + int result; + + *zero_password = FALSE; +@@ -150,14 +155,14 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client, + + if ((code = krb5_unparse_name(context, client, &client_name))) { + com_err (prog_name, code, _("when unparsing name")); +- return (FALSE); ++ goto cleanup; + } + + memset(&creds, 0, sizeof(creds)); + + if ((code = krb5_timeofday(context, &now))) { + com_err(prog_name, code, _("while getting time of day")); +- return (FALSE); ++ goto cleanup; + } + + result = snprintf(prompt, sizeof(prompt), _("Kerberos password for %s: "), +@@ -166,7 +171,7 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client, + fprintf(stderr, + _("principal name %s too long for internal buffer space\n"), + client_name); +- return FALSE; ++ goto cleanup; + } + + pwsize = sizeof(password); +@@ -175,13 +180,13 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client, + if (code ) { + com_err(prog_name, code, _("while reading password for '%s'\n"), + client_name); +- return (FALSE); ++ goto cleanup; + } + + if ( pwsize == 0) { + fprintf(stderr, _("No password given\n")); + *zero_password = TRUE; +- return (FALSE); ++ goto cleanup; + } + + code = krb5_get_init_creds_password(context, &creds, client, password, +@@ -195,13 +200,19 @@ ksu_get_tgt_via_passwd(krb5_context context, krb5_principal client, + fprintf(stderr, _("%s: Password incorrect\n"), prog_name); + else + com_err(prog_name, code, _("while getting initial credentials")); +- return (FALSE); ++ goto cleanup; + } +- if (creds_out != NULL) ++ if (creds_out != NULL) { + *creds_out = creds; +- else +- krb5_free_cred_contents(context, &creds); +- return (TRUE); ++ memset(&creds, 0, sizeof(creds)); ++ } ++ ++ ok = TRUE; ++ ++cleanup: ++ krb5_free_cred_contents(context, &creds); ++ free(client_name); ++ return ok; + } + + void +@@ -213,8 +224,10 @@ dump_principal(krb5_context context, char *str, krb5_principal p) + if ((retval = krb5_unparse_name(context, p, &stname))) { + fprintf(stderr, _(" %s while unparsing name\n"), + error_message(retval)); ++ return; + } + fprintf(stderr, " %s: %s\n", str, stname); ++ free(stname); + } + + void +@@ -226,71 +239,8 @@ plain_dump_principal (krb5_context context, krb5_principal p) + if ((retval = krb5_unparse_name(context, p, &stname))) { + fprintf(stderr, _(" %s while unparsing name\n"), + error_message(retval)); ++ return; + } + fprintf(stderr, "%s ", stname); +-} +- +- +-/********************************************************************** +-returns the principal that is closest to client. plist contains +-a principal list obtained from .k5login and parhaps .k5users file. +-This routine gets called before getting the password for a tgt. +-A principal is picked that has the best chance of getting in. +- +-**********************************************************************/ +- +-krb5_error_code +-get_best_principal(krb5_context context, char **plist, krb5_principal *client) +-{ +- krb5_error_code retval =0; +- krb5_principal temp_client, best_client = NULL; +- +- int i = 0, nelem; +- +- if (! plist ) return 0; +- +- nelem = krb5_princ_size(context, *client); +- +- while(plist[i]){ +- +- if ((retval = krb5_parse_name(context, plist[i], &temp_client))){ +- return retval; +- } +- +- if (data_eq(*krb5_princ_realm(context, *client), +- *krb5_princ_realm(context, temp_client))) { +- +- if (nelem && +- krb5_princ_size(context, *client) > 0 && +- krb5_princ_size(context, temp_client) > 0) { +- krb5_data *p1 = +- krb5_princ_component(context, *client, 0); +- krb5_data *p2 = +- krb5_princ_component(context, temp_client, 0); +- +- if (data_eq(*p1, *p2)) { +- +- if (auth_debug){ +- fprintf(stderr, +- "get_best_principal: compare with %s\n", +- plist[i]); +- } +- +- if(best_client){ +- if(krb5_princ_size(context, best_client) > +- krb5_princ_size(context, temp_client)){ +- best_client = temp_client; +- } +- }else{ +- best_client = temp_client; +- } +- } +- } +- +- } +- i++; +- } +- +- if (best_client) *client = best_client; +- return 0; ++ free(stname); + } +diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h +index 66fb4bcc6a..32ce11cb85 100644 +--- a/src/clients/ksu/ksu.h ++++ b/src/clients/ksu/ksu.h +@@ -92,9 +92,6 @@ extern void plain_dump_principal + extern krb5_error_code krb5_parse_lifetime + (char *, long *); + +-extern krb5_error_code get_best_principal +-(krb5_context, char **, krb5_principal *); +- + /* ccache.c */ + extern krb5_error_code krb5_ccache_copy + (krb5_context, krb5_ccache, krb5_principal, krb5_ccache, +@@ -117,9 +114,6 @@ extern krb5_error_code krb5_check_exp + + extern char *flags_string (krb5_creds *); + +-extern krb5_error_code krb5_get_login_princ +-(const char *, char ***); +- + extern void show_credential + (krb5_context, krb5_creds *, krb5_ccache); + +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index 2a351662c8..77703a6a2b 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c +@@ -1002,7 +1002,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ, + if (retval) { + com_err(prog_name, retval, + _("while generating part of the target ccache name")); +- return retval; ++ goto cleanup; + } + if (asprintf(&ccname, "%s.%s", target, sym) < 0) { + retval = ENOMEM; +@@ -1014,6 +1014,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ, + free(sym); + } while (ks_ccache_name_is_initialized(context, ccname)); + retval = krb5_cc_resolve(context, ccname, &ccache); ++ free(ccname); + } else { + /* Look for a cache in the collection that we can reuse. */ + retval = krb5_cc_cache_match(context, princ, &ccache); +diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c +index 26f340af31..976c8969e8 100644 +--- a/src/kadmin/cli/keytab.c ++++ b/src/kadmin/cli/keytab.c +@@ -363,7 +363,7 @@ remove_principal(char *keytab_str, krb5_keytab keytab, + { + krb5_principal princ = NULL; + krb5_keytab_entry entry; +- krb5_kt_cursor cursor; ++ krb5_kt_cursor cursor = NULL; + enum { UNDEF, SPEC, HIGH, ALL, OLD } mode; + int code, did_something; + krb5_kvno kvno; +@@ -443,6 +443,7 @@ remove_principal(char *keytab_str, krb5_keytab keytab, + _("while temporarily ending keytab scan")); + goto cleanup; + } ++ cursor = NULL; + code = krb5_kt_remove_entry(context, keytab, &entry); + if (code != 0) { + com_err(whoami, code, _("while deleting entry from keytab")); +@@ -471,6 +472,7 @@ remove_principal(char *keytab_str, krb5_keytab keytab, + com_err(whoami, code, _("while ending keytab scan")); + goto cleanup; + } ++ cursor = NULL; + + /* + * If !did_someting then mode must be OLD or we would have +@@ -483,6 +485,8 @@ remove_principal(char *keytab_str, krb5_keytab keytab, + } + + cleanup: ++ if (cursor != NULL) ++ (void)krb5_kt_end_seq_get(context, keytab, &cursor); + krb5_free_principal(context, princ); + } + +diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c +index 87a69ca145..a1c17d154d 100644 +--- a/src/kadmin/ktutil/ktutil.c ++++ b/src/kadmin/ktutil/ktutil.c +@@ -254,6 +254,7 @@ ktutil_list(int argc, char *argv[]) + buf, sizeof(buf)))) { + com_err(argv[0], retval, + _("While converting enctype to string")); ++ free(pname); + return; + } + printf(" (%s) ", buf); +diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c +index f883ae2df8..9a4826e441 100644 +--- a/src/kprop/kpropd.c ++++ b/src/kprop/kpropd.c +@@ -1300,19 +1300,20 @@ static krb5_boolean + authorized_principal(krb5_context context, krb5_principal p, + krb5_enctype auth_etype) + { +- char *name, *ptr, buf[1024]; ++ krb5_boolean ok = FALSE; ++ char *name = NULL, *ptr, buf[1024]; + krb5_error_code retval; +- FILE *acl_file; ++ FILE *acl_file = NULL; + int end; + krb5_enctype acl_etype; + + retval = krb5_unparse_name(context, p, &name); + if (retval) +- return FALSE; ++ goto cleanup; + + acl_file = fopen(acl_file_name, "r"); + if (acl_file == NULL) +- return FALSE; ++ goto cleanup; + + while (!feof(acl_file)) { + if (!fgets(buf, sizeof(buf), acl_file)) +@@ -1342,14 +1343,16 @@ authorized_principal(krb5_context context, krb5_principal p, + (acl_etype != auth_etype))) + continue; + +- free(name); +- fclose(acl_file); +- return TRUE; ++ ok = TRUE; ++ goto cleanup; + } + } ++ ++cleanup: + free(name); +- fclose(acl_file); +- return FALSE; ++ if (acl_file != NULL) ++ fclose(acl_file); ++ return ok; + } + + static void +diff --git a/src/lib/gssapi/krb5/export_cred.c b/src/lib/gssapi/krb5/export_cred.c +index 96a408c237..bf5cede54a 100644 +--- a/src/lib/gssapi/krb5/export_cred.c ++++ b/src/lib/gssapi/krb5/export_cred.c +@@ -447,8 +447,10 @@ krb5_gss_export_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle, + + /* Validate and lock cred_handle. */ + status = krb5_gss_validate_cred_1(minor_status, cred_handle, context); +- if (status != GSS_S_COMPLETE) ++ if (status != GSS_S_COMPLETE) { ++ krb5_free_context(context); + return status; ++ } + cred = (krb5_gss_cred_id_t)cred_handle; + + if (json_kgcred(context, cred, &jcred)) +diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c +index 83e7634106..d4b070f8c0 100644 +--- a/src/lib/gssapi/krb5/val_cred.c ++++ b/src/lib/gssapi/krb5/val_cred.c +@@ -35,6 +35,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle, + krb5_gss_cred_id_t cred; + krb5_error_code code; + krb5_principal princ; ++ krb5_boolean same; + + cred = (krb5_gss_cred_id_t) cred_handle; + k5_mutex_lock(&cred->lock); +@@ -45,12 +46,13 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle, + *minor_status = code; + return(GSS_S_DEFECTIVE_CREDENTIAL); + } +- if (!krb5_principal_compare(context, princ, cred->name->princ)) { ++ same = krb5_principal_compare(context, princ, cred->name->princ); ++ (void)krb5_free_principal(context, princ); ++ if (!same) { + k5_mutex_unlock(&cred->lock); + *minor_status = KG_CCACHE_NOMATCH; + return(GSS_S_DEFECTIVE_CREDENTIAL); + } +- (void)krb5_free_principal(context, princ); + } + *minor_status = 0; + return GSS_S_COMPLETE; +diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c +index 2ec80a0f2b..4efcaf9941 100644 +--- a/src/lib/kadm5/srv/server_kdb.c ++++ b/src/lib/kadm5/srv/server_kdb.c +@@ -67,11 +67,10 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle, + if (ret) + goto done; + +- if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ, +- &master_keyblock))) { ++ ret = krb5_db_fetch_mkey_list(handle->context, master_princ, ++ &master_keyblock); ++ if (ret) + krb5_db_fini(handle->context); +- return (ret); +- } + + done: + if (r == NULL) +diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c +index c93e7c78e5..1f917d49bb 100644 +--- a/src/lib/krb5/ccache/cc_kcm.c ++++ b/src/lib/krb5/ccache/cc_kcm.c +@@ -992,10 +992,14 @@ kcm_start_seq_get(krb5_context context, krb5_ccache cache, + if (cursor == NULL) + goto cleanup; + cursor->uuids = uuids; ++ uuids = NULL; + cursor->creds = creds; ++ creds = NULL; + *cursor_out = (krb5_cc_cursor)cursor; + + cleanup: ++ free_cred_list(creds); ++ free_uuid_list(uuids); + kcmreq_free(&req); + return ret; + } +diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c +index e0eb39a612..9b755f0e36 100644 +--- a/src/lib/krb5/ccache/ccfns.c ++++ b/src/lib/krb5/ccache/ccfns.c +@@ -198,18 +198,18 @@ k5_build_conf_principals(krb5_context context, krb5_ccache id, + if (principal) { + ret = krb5_unparse_name(context, principal, &pname); + if (ret) +- return ret; ++ goto cleanup; + } + + ret = krb5_build_principal(context, &cred->server, + sizeof(conf_realm) - 1, conf_realm, + conf_name, name, pname, (char *)NULL); +- krb5_free_unparsed_name(context, pname); +- if (ret) { +- krb5_free_principal(context, client); +- return ret; +- } ++ if (ret) ++ goto cleanup; + ret = krb5_copy_principal(context, client, &cred->client); ++ ++cleanup: ++ krb5_free_unparsed_name(context, pname); + krb5_free_principal(context, client); + return ret; + } +diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c +index f3ea28c8ec..8fd1505115 100644 +--- a/src/lib/krb5/keytab/kt_file.c ++++ b/src/lib/krb5/keytab/kt_file.c +@@ -456,15 +456,16 @@ krb5_ktfile_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor * + return ENOMEM; + } + *fileoff = KTSTARTOFF(id); +- *cursorp = (krb5_kt_cursor)fileoff; + KTITERS(id)++; + if (KTITERS(id) == 0) { + /* Wrapped?! */ + KTITERS(id)--; + KTUNLOCK(id); ++ free(fileoff); + k5_setmsg(context, KRB5_KT_IOERR, "Too many keytab iterators active"); + return KRB5_KT_IOERR; /* XXX */ + } ++ *cursorp = (krb5_kt_cursor)fileoff; + KTUNLOCK(id); + + return 0; +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +index 753929b06d..f7fad27867 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +@@ -271,16 +271,18 @@ krb5_ldap_delete_realm (krb5_context context, char *lrealm) + for (ent = ldap_first_entry (ld, result); ent != NULL; + ent = ldap_next_entry (ld, ent)) { + if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) { +- for (i = 0; values[i] != NULL; ++i) { ++ for (i = 0; values[i] != NULL && !st; ++i) { + krb5_parse_name(context, values[i], &principal); + if (principal_in_realm_2(principal, lrealm) == 0) { + st=krb5_ldap_delete_principal(context, principal); +- if (st && st != KRB5_KDB_NOENTRY) +- goto cleanup; ++ if (st == KRB5_KDB_NOENTRY) ++ st = 0; + } + krb5_free_principal(context, principal); + } + ldap_value_free(values); ++ if (st) ++ goto cleanup; + } + } + } +-- +2.45.1 + diff --git a/SOURCES/0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch b/SOURCES/0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch new file mode 100644 index 0000000..65737be --- /dev/null +++ b/SOURCES/0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch @@ -0,0 +1,34 @@ +From 6e898b880a0c752f83decf33d64a7d8706e6d6f8 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 27 Oct 2023 00:44:53 -0400 +Subject: [PATCH] End connection on KDC_ERR_SVC_UNAVAILABLE + +In sendto_kdc.c:service_fds(), if a message handler indicates that a +message should be discarded, kill the connection so we don't continue +waiting on it for more data. + +ticket: 7899 +(cherry picked from commit ca80f64c786341d5871ae1de18142e62af64f7b9) +--- + src/lib/krb5/os/sendto_kdc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index 0f4bf23a95..262edf09b4 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -1440,7 +1440,10 @@ service_fds(krb5_context context, struct select_state *selstate, + if (msg_handler != NULL) { + krb5_data reply = make_data(state->in.buf, state->in.pos); + +- stop = (msg_handler(context, &reply, msg_handler_data) != 0); ++ if (!msg_handler(context, &reply, msg_handler_data)) { ++ kill_conn(context, state, selstate); ++ stop = 0; ++ } + } + + if (stop) { +-- +2.45.1 + diff --git a/SOURCES/0019-Add-request_timeout-configuration-parameter.patch b/SOURCES/0019-Add-request_timeout-configuration-parameter.patch new file mode 100644 index 0000000..0cc6fb6 --- /dev/null +++ b/SOURCES/0019-Add-request_timeout-configuration-parameter.patch @@ -0,0 +1,226 @@ +From fa711b7cb3b7cbb234bd202bc9d9b9d7ca4defad Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 26 Oct 2023 14:20:34 -0400 +Subject: [PATCH] Add request_timeout configuration parameter + +Add a parameter to limit the total amount of time taken for a KDC or +password change request. + +ticket: 9106 (new) +(cherry picked from commit 802318cda963456b3ed7856c836e89da891483be) +--- + doc/admin/conf_files/krb5_conf.rst | 9 ++++++ + src/include/k5-int.h | 2 ++ + src/lib/krb5/krb/init_ctx.c | 14 +++++++- + src/lib/krb5/os/sendto_kdc.c | 51 ++++++++++++++++++++---------- + 4 files changed, 58 insertions(+), 18 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index a33711d918..65fb592d98 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -356,6 +356,15 @@ The libdefaults section may contain any of the following relations: + (:ref:`duration` string.) Sets the default renewable lifetime + for initial ticket requests. The default value is 0. + ++**request_timeout** ++ (:ref:`duration` string.) Sets the maximum total time for KDC or ++ password change requests. This timeout does not affect the ++ intervals between requests, so setting a low timeout may result in ++ fewer requests being attempted and/or some servers not being ++ contacted. A value of 0 indicates no specific maximum, in which ++ case requests will time out if no server responds after several ++ tries. The default value is 0. (New in release 1.22.) ++ + **spake_preauth_groups** + A whitespace or comma-separated list of words which specifies the + groups allowed for SPAKE preauthentication. The possible values +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index b3e07945c1..69d6a6f569 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -296,6 +296,7 @@ typedef unsigned char u_char; + #define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator" + #define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge" + #define KRB5_CONF_SPAKE_PREAUTH_GROUPS "spake_preauth_groups" ++#define KRB5_CONF_REQUEST_TIMEOUT "request_timeout" + #define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime" + #define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit" + #define KRB5_CONF_UNLOCKITER "unlockiter" +@@ -1200,6 +1201,7 @@ struct _krb5_context { + kdb5_dal_handle *dal_handle; + /* allowable clock skew */ + krb5_deltat clockskew; ++ krb5_deltat req_timeout; + krb5_flags kdc_default_options; + krb5_flags library_options; + krb5_boolean profile_secure; +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index 2b5abcd817..582a2945ff 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -157,7 +157,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + krb5_context ctx = 0; + krb5_error_code retval; + int tmp; +- char *plugin_dir = NULL; ++ char *plugin_dir = NULL, *timeout_str = NULL; + + /* Verify some assumptions. If the assumptions hold and the + compiler is optimizing, this should result in no code being +@@ -240,6 +240,17 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp); + ctx->clockskew = tmp; + ++ retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS, ++ KRB5_CONF_REQUEST_TIMEOUT, NULL, NULL, ++ &timeout_str); ++ if (retval) ++ goto cleanup; ++ if (timeout_str != NULL) { ++ retval = krb5_string_to_deltat(timeout_str, &ctx->req_timeout); ++ if (retval) ++ goto cleanup; ++ } ++ + get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK, + &tmp); + ctx->kdc_default_options = tmp; +@@ -281,6 +292,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + + cleanup: + profile_release_string(plugin_dir); ++ profile_release_string(timeout_str); + krb5_free_context(ctx); + return retval; + } +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index 262edf09b4..98247a1089 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -1395,34 +1395,41 @@ get_endtime(time_ms endtime, struct conn_state *conns) + + static krb5_boolean + service_fds(krb5_context context, struct select_state *selstate, +- time_ms interval, struct conn_state *conns, ++ time_ms interval, time_ms timeout, struct conn_state *conns, + struct select_state *seltemp, const krb5_data *realm, + int (*msg_handler)(krb5_context, const krb5_data *, void *), + void *msg_handler_data, struct conn_state **winner_out) + { + int e, selret = 0; +- time_ms endtime; ++ time_ms curtime, interval_end, endtime; + struct conn_state *state; + + *winner_out = NULL; + +- e = get_curtime_ms(&endtime); ++ e = get_curtime_ms(&curtime); + if (e) + return TRUE; +- endtime += interval; ++ interval_end = curtime + interval; + + e = 0; + while (selstate->nfds > 0) { +- e = cm_select_or_poll(selstate, get_endtime(endtime, conns), +- seltemp, &selret); ++ endtime = get_endtime(interval_end, conns); ++ /* Don't wait longer than the whole request should last. */ ++ if (timeout && endtime > timeout) ++ endtime = timeout; ++ e = cm_select_or_poll(selstate, endtime, seltemp, &selret); + if (e == EINTR) + continue; + if (e != 0) + break; + +- if (selret == 0) +- /* Timeout, return to caller. */ ++ if (selret == 0) { ++ /* We timed out. Stop if we hit the overall request timeout. */ ++ if (timeout && (get_curtime_ms(&curtime) || curtime >= timeout)) ++ return TRUE; ++ /* Otherwise return to the caller to send the next request. */ + return FALSE; ++ } + + /* Got something on a socket, process it. */ + for (state = conns; state != NULL; state = state->next) { +@@ -1495,7 +1502,7 @@ k5_sendto(krb5_context context, const krb5_data *message, + void *msg_handler_data) + { + int pass; +- time_ms delay; ++ time_ms delay, timeout = 0; + krb5_error_code retval; + struct conn_state *conns = NULL, *state, **tailptr, *next, *winner; + size_t s; +@@ -1505,6 +1512,13 @@ k5_sendto(krb5_context context, const krb5_data *message, + + *reply = empty_data(); + ++ if (context->req_timeout) { ++ retval = get_curtime_ms(&timeout); ++ if (retval) ++ return retval; ++ timeout += 1000 * context->req_timeout; ++ } ++ + /* One for use here, listing all our fds in use, and one for + * temporary use in service_fds, for the fds of interest. */ + sel_state = malloc(2 * sizeof(*sel_state)); +@@ -1532,8 +1546,9 @@ k5_sendto(krb5_context context, const krb5_data *message, + if (maybe_send(context, state, message, sel_state, realm, + callback_info)) + continue; +- done = service_fds(context, sel_state, 1000, conns, seltemp, +- realm, msg_handler, msg_handler_data, &winner); ++ done = service_fds(context, sel_state, 1000, timeout, conns, ++ seltemp, realm, msg_handler, msg_handler_data, ++ &winner); + } + } + +@@ -1545,13 +1560,13 @@ k5_sendto(krb5_context context, const krb5_data *message, + if (maybe_send(context, state, message, sel_state, realm, + callback_info)) + continue; +- done = service_fds(context, sel_state, 1000, conns, seltemp, ++ done = service_fds(context, sel_state, 1000, timeout, conns, seltemp, + realm, msg_handler, msg_handler_data, &winner); + } + + /* Wait for two seconds at the end of the first pass. */ + if (!done) { +- done = service_fds(context, sel_state, 2000, conns, seltemp, ++ done = service_fds(context, sel_state, 2000, timeout, conns, seltemp, + realm, msg_handler, msg_handler_data, &winner); + } + +@@ -1562,15 +1577,17 @@ k5_sendto(krb5_context context, const krb5_data *message, + if (maybe_send(context, state, message, sel_state, realm, + callback_info)) + continue; +- done = service_fds(context, sel_state, 1000, conns, seltemp, +- realm, msg_handler, msg_handler_data, &winner); ++ done = service_fds(context, sel_state, 1000, timeout, conns, ++ seltemp, realm, msg_handler, msg_handler_data, ++ &winner); + if (sel_state->nfds == 0) + break; + } + /* Wait for the delay backoff at the end of this pass. */ + if (!done) { +- done = service_fds(context, sel_state, delay, conns, seltemp, +- realm, msg_handler, msg_handler_data, &winner); ++ done = service_fds(context, sel_state, delay, timeout, conns, ++ seltemp, realm, msg_handler, msg_handler_data, ++ &winner); + } + if (sel_state->nfds == 0) + break; +-- +2.45.1 + diff --git a/SOURCES/0020-Wait-indefinitely-on-KDC-TCP-connections.patch b/SOURCES/0020-Wait-indefinitely-on-KDC-TCP-connections.patch new file mode 100644 index 0000000..b1e6e99 --- /dev/null +++ b/SOURCES/0020-Wait-indefinitely-on-KDC-TCP-connections.patch @@ -0,0 +1,138 @@ +From 58b64df22e22b9b89f9c6af96990276a1fc8e3c6 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 26 Oct 2023 16:26:42 -0400 +Subject: [PATCH] Wait indefinitely on KDC TCP connections + +When making a KDC or password change request, wait indefinitely +(limited only by request_timeout if set) once a KDC has accepted a TCP +connection. + +ticket: 9105 (new) +(cherry picked from commit 6436a3808061da787a43c6810f5f0370cdfb6e36) +--- + doc/admin/conf_files/krb5_conf.rst | 2 +- + src/lib/krb5/os/sendto_kdc.c | 50 ++++++++++++++++-------------- + 2 files changed, 27 insertions(+), 25 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index 65fb592d98..b7284c47df 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -357,7 +357,7 @@ The libdefaults section may contain any of the following relations: + for initial ticket requests. The default value is 0. + + **request_timeout** +- (:ref:`duration` string.) Sets the maximum total time for KDC or ++ (:ref:`duration` string.) Sets the maximum total time for KDC and + password change requests. This timeout does not affect the + intervals between requests, so setting a low timeout may result in + fewer requests being attempted and/or some servers not being +diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c +index 98247a1089..924f5b2d26 100644 +--- a/src/lib/krb5/os/sendto_kdc.c ++++ b/src/lib/krb5/os/sendto_kdc.c +@@ -134,7 +134,6 @@ struct conn_state { + krb5_data callback_buffer; + size_t server_index; + struct conn_state *next; +- time_ms endtime; + krb5_boolean defer; + struct { + const char *uri_path; +@@ -344,15 +343,19 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime, + struct select_state *out, int *sret) + { + #ifndef USE_POLL +- struct timeval tv; ++ struct timeval tv, *tvp; + #endif + krb5_error_code retval; + time_ms curtime, interval; + +- retval = get_curtime_ms(&curtime); +- if (retval != 0) +- return retval; +- interval = (curtime < endtime) ? endtime - curtime : 0; ++ if (endtime != 0) { ++ retval = get_curtime_ms(&curtime); ++ if (retval != 0) ++ return retval; ++ interval = (curtime < endtime) ? endtime - curtime : 0; ++ } else { ++ interval = -1; ++ } + + /* We don't need a separate copy of the selstate for poll, but use one for + * consistency with how we use select. */ +@@ -361,9 +364,14 @@ cm_select_or_poll(const struct select_state *in, time_ms endtime, + #ifdef USE_POLL + *sret = poll(out->fds, out->nfds, interval); + #else +- tv.tv_sec = interval / 1000; +- tv.tv_usec = interval % 1000 * 1000; +- *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, &tv); ++ if (interval != -1) { ++ tv.tv_sec = interval / 1000; ++ tv.tv_usec = interval % 1000 * 1000; ++ tvp = &tv; ++ } else { ++ tvp = NULL; ++ } ++ *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, tvp); + #endif + + return (*sret < 0) ? SOCKET_ERRNO : 0; +@@ -1099,11 +1107,6 @@ service_tcp_connect(krb5_context context, const krb5_data *realm, + } + + conn->state = WRITING; +- +- /* Record this connection's timeout for service_fds. */ +- if (get_curtime_ms(&conn->endtime) == 0) +- conn->endtime += 10000; +- + return conn->service_write(context, realm, conn, selstate); + } + +@@ -1378,19 +1381,18 @@ kill_conn: + return FALSE; + } + +-/* Return the maximum of endtime and the endtime fields of all currently active +- * TCP connections. */ +-static time_ms +-get_endtime(time_ms endtime, struct conn_state *conns) ++/* Return true if conns contains any states with connected TCP sockets. */ ++static krb5_boolean ++any_tcp_connections(struct conn_state *conns) + { + struct conn_state *state; + + for (state = conns; state != NULL; state = state->next) { +- if ((state->state == READING || state->state == WRITING) && +- state->endtime > endtime) +- endtime = state->endtime; ++ if (state->addr.transport != UDP && ++ (state->state == READING || state->state == WRITING)) ++ return TRUE; + } +- return endtime; ++ return FALSE; + } + + static krb5_boolean +@@ -1413,9 +1415,9 @@ service_fds(krb5_context context, struct select_state *selstate, + + e = 0; + while (selstate->nfds > 0) { +- endtime = get_endtime(interval_end, conns); ++ endtime = any_tcp_connections(conns) ? 0 : interval_end; + /* Don't wait longer than the whole request should last. */ +- if (timeout && endtime > timeout) ++ if (timeout && (!endtime || endtime > timeout)) + endtime = timeout; + e = cm_select_or_poll(selstate, endtime, seltemp, &selret); + if (e == EINTR) +-- +2.45.1 + diff --git a/SOURCES/0021-Remove-klist-s-defname-global-variable.patch b/SOURCES/0021-Remove-klist-s-defname-global-variable.patch new file mode 100644 index 0000000..d7c4ec3 --- /dev/null +++ b/SOURCES/0021-Remove-klist-s-defname-global-variable.patch @@ -0,0 +1,71 @@ +From fa9dfdc9d85e88b6880edde5de45333b97a53a11 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Mon, 8 Jan 2024 16:52:27 +0100 +Subject: [PATCH] Remove klist's defname global variable + +Addition of a "cleanup" section in kinit's show_ccache() function as +part of commit 6c5471176f5266564fbc8a7e02f03b4b042202f8 introduced a +double-free bug, because defname is a global variable. After the +first call, successive calls may take place with a dangling pointer in +defname, which will be freed if krb5_cc_get_principal() fails. + +Convert "defname" to a local variable initialized at the beginning of +show_ccache(). + +[ghudson@mit.edu: edited commit message] + +(cherry picked from commit 5b00197227231943bd2305328c8260dd0b0dbcf0) +--- + src/clients/klist/klist.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c +index b5ae96a843..b5808e5c93 100644 +--- a/src/clients/klist/klist.c ++++ b/src/clients/klist/klist.c +@@ -53,7 +53,6 @@ int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0; + int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0; + int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0; + int show_config = 0; +-char *defname; + char *progname; + krb5_timestamp now; + unsigned int timestamp_width; +@@ -62,7 +61,7 @@ krb5_context context; + + static krb5_boolean is_local_tgt(krb5_principal princ, krb5_data *realm); + static char *etype_string(krb5_enctype ); +-static void show_credential(krb5_creds *); ++static void show_credential(krb5_creds *, const char *); + + static void list_all_ccaches(void); + static int list_ccache(krb5_ccache); +@@ -473,6 +472,7 @@ show_ccache(krb5_ccache cache) + krb5_creds creds; + krb5_principal princ = NULL; + krb5_error_code ret; ++ char *defname = NULL; + int status = 1; + + ret = krb5_cc_get_principal(context, cache, &princ); +@@ -503,7 +503,7 @@ show_ccache(krb5_ccache cache) + } + while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) { + if (show_config || !krb5_is_config_principal(context, creds.server)) +- show_credential(&creds); ++ show_credential(&creds, defname); + krb5_free_cred_contents(context, &creds); + } + if (ret == KRB5_CC_END) { +@@ -676,7 +676,7 @@ print_config_data(int col, krb5_data *data) + } + + static void +-show_credential(krb5_creds *cred) ++show_credential(krb5_creds *cred, const char *defname) + { + krb5_error_code ret; + krb5_ticket *tkt = NULL; +-- +2.45.1 + diff --git a/SOURCES/0022-Fix-two-unlikely-memory-leaks.patch b/SOURCES/0022-Fix-two-unlikely-memory-leaks.patch new file mode 100644 index 0000000..73862cd --- /dev/null +++ b/SOURCES/0022-Fix-two-unlikely-memory-leaks.patch @@ -0,0 +1,206 @@ +From 313d7b1afdcfca2bc0f6824cfeb25594c2eae176 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 5 Mar 2024 19:53:07 -0500 +Subject: [PATCH] Fix two unlikely memory leaks + +In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which +could probably never be triggered) leaks plain.data. Fix this leak +and use current practices for cleanup throughout the function. + +In xmt_rmtcallres() (unused within the tree and likely elsewhere), +store port_ptr into crp->port_ptr as soon as it is allocated; +otherwise it could leak if the subsequent xdr_u_int32() operation +fails. + +(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d) +--- + src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++------------------- + src/lib/rpc/pmap_rmt.c | 10 +++--- + 2 files changed, 29 insertions(+), 37 deletions(-) + +diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c +index 1fcbdfbb87..d3210c1107 100644 +--- a/src/lib/gssapi/krb5/k5sealv3.c ++++ b/src/lib/gssapi/krb5/k5sealv3.c +@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + int conf_req_flag, int toktype) + { + size_t bufsize = 16; +- unsigned char *outbuf = 0; ++ unsigned char *outbuf = NULL; + krb5_error_code err; + int key_usage; + unsigned char acceptor_flag; +@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + #endif + size_t ec; + unsigned short tok_id; +- krb5_checksum sum; ++ krb5_checksum sum = { 0 }; + krb5_key key; + krb5_cksumtype cksumtype; ++ krb5_data plain = empty_data(); ++ ++ token->value = NULL; ++ token->length = 0; + + acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; + key_usage = (toktype == KG_TOK_WRAP_MSG +@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + #endif + + if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) { +- krb5_data plain; + krb5_enc_data cipher; + size_t ec_max; + size_t encrypt_size; + + /* 300: Adds some slop. */ +- if (SIZE_MAX - 300 < message->length) +- return ENOMEM; ++ if (SIZE_MAX - 300 < message->length) { ++ err = ENOMEM; ++ goto cleanup; ++ } + ec_max = SIZE_MAX - message->length - 300; + if (ec_max > 0xffff) + ec_max = 0xffff; +@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + #endif + err = alloc_data(&plain, message->length + 16 + ec); + if (err) +- return err; ++ goto cleanup; + + /* Get size of ciphertext. */ + encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype); + if (encrypt_size > SIZE_MAX / 2) { + err = ENOMEM; +- goto error; ++ goto cleanup; + } + bufsize = 16 + encrypt_size; + /* Allocate space for header plus encrypted data. */ + outbuf = gssalloc_malloc(bufsize); + if (outbuf == NULL) { +- free(plain.data); +- return ENOMEM; ++ err = ENOMEM; ++ goto cleanup; + } + + /* TOK_ID */ +@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + cipher.ciphertext.length = bufsize - 16; + cipher.enctype = key->keyblock.enctype; + err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher); +- zap(plain.data, plain.length); +- free(plain.data); +- plain.data = 0; + if (err) +- goto error; ++ goto cleanup; + + /* Now that we know we're returning a valid token.... */ + ctx->seq_send++; +@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + /* If the rotate fails, don't worry about it. */ + #endif + } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) { +- krb5_data plain; + size_t cksumsize; + + /* Here, message is the application-supplied data; message2 is +@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + wrap_with_checksum: + err = alloc_data(&plain, message->length + 16); + if (err) +- return err; ++ goto cleanup; + + err = krb5_c_checksum_length(context, cksumtype, &cksumsize); + if (err) +- goto error; ++ goto cleanup; + + assert(cksumsize <= 0xffff); + + bufsize = 16 + message2->length + cksumsize; + outbuf = gssalloc_malloc(bufsize); + if (outbuf == NULL) { +- free(plain.data); +- plain.data = 0; + err = ENOMEM; +- goto error; ++ goto cleanup; + } + + /* TOK_ID */ +@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + if (message2->length) + memcpy(outbuf + 16, message2->value, message2->length); + +- sum.contents = outbuf + 16 + message2->length; +- sum.length = cksumsize; +- + err = krb5_k_make_checksum(context, cksumtype, key, + key_usage, &plain, &sum); +- zap(plain.data, plain.length); +- free(plain.data); +- plain.data = 0; + if (err) { + zap(outbuf,bufsize); +- goto error; ++ goto cleanup; + } + if (sum.length != cksumsize) + abort(); + memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize); +- krb5_free_checksum_contents(context, &sum); +- sum.contents = 0; + /* Now that we know we're actually generating the token... */ + ctx->seq_send++; + +@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, + + token->value = outbuf; + token->length = bufsize; +- return 0; ++ outbuf = NULL; ++ err = 0; + +-error: ++cleanup: ++ krb5_free_checksum_contents(context, &sum); ++ zapfree(plain.data, plain.length); + gssalloc_free(outbuf); +- token->value = NULL; +- token->length = 0; + return err; + } + +diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c +index 434e4eea65..f55ca46c60 100644 +--- a/src/lib/rpc/pmap_rmt.c ++++ b/src/lib/rpc/pmap_rmt.c +@@ -161,12 +161,12 @@ xdr_rmtcallres( + caddr_t port_ptr; + + port_ptr = (caddr_t)(void *)crp->port_ptr; +- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t), +- (xdrproc_t)xdr_u_int32) && +- xdr_u_int32(xdrs, &crp->resultslen)) { +- crp->port_ptr = (uint32_t *)(void *)port_ptr; ++ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t), ++ (xdrproc_t)xdr_u_int32)) ++ return (FALSE); ++ crp->port_ptr = (uint32_t *)(void *)port_ptr; ++ if (xdr_u_int32(xdrs, &crp->resultslen)) + return ((*(crp->xdr_results))(xdrs, crp->results_ptr)); +- } + return (FALSE); + } + +-- +2.45.1 + diff --git a/SOURCES/kadm5.acl b/SOURCES/kadm5.acl new file mode 100644 index 0000000..dc93eb0 --- /dev/null +++ b/SOURCES/kadm5.acl @@ -0,0 +1 @@ +*/admin@EXAMPLE.COM * diff --git a/SOURCES/kadmin.service b/SOURCES/kadmin.service new file mode 100644 index 0000000..daa08b1 --- /dev/null +++ b/SOURCES/kadmin.service @@ -0,0 +1,15 @@ +[Unit] +Description=Kerberos 5 Password-changing and Administration +Wants=network-online.target +After=syslog.target network.target network-online.target +AssertPathExists=!/var/kerberos/krb5kdc/kpropd.acl + +[Service] +Type=forking +PIDFile=/run/kadmind.pid +EnvironmentFile=-/etc/sysconfig/kadmin +ExecStart=/usr/sbin/kadmind -P /run/kadmind.pid $KADMIND_ARGS +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/kadmin.sysconfig b/SOURCES/kadmin.sysconfig new file mode 100644 index 0000000..fa72039 --- /dev/null +++ b/SOURCES/kadmin.sysconfig @@ -0,0 +1 @@ +KADMIND_ARGS= diff --git a/SOURCES/kadmind.logrotate b/SOURCES/kadmind.logrotate new file mode 100644 index 0000000..f00aa4d --- /dev/null +++ b/SOURCES/kadmind.logrotate @@ -0,0 +1,9 @@ +/var/log/kadmind.log { + missingok + notifempty + monthly + rotate 12 + postrotate + systemctl reload kadmin.service || true + endscript +} diff --git a/SOURCES/kdc.conf b/SOURCES/kdc.conf new file mode 100644 index 0000000..c504e58 --- /dev/null +++ b/SOURCES/kdc.conf @@ -0,0 +1,16 @@ +[kdcdefaults] + kdc_ports = 88 + kdc_tcp_ports = 88 + spake_preauth_kdc_challenge = edwards25519 + +[realms] +EXAMPLE.COM = { + master_key_type = aes256-cts-hmac-sha384-192 + acl_file = /var/kerberos/krb5kdc/kadm5.acl + dict_file = /usr/share/dict/words + default_principal_flags = +preauth + admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab + supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal + # Supported encryption types for FIPS mode: + #supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal +} diff --git a/SOURCES/kprop.service b/SOURCES/kprop.service new file mode 100644 index 0000000..7b5d4b9 --- /dev/null +++ b/SOURCES/kprop.service @@ -0,0 +1,13 @@ +[Unit] +Description=Kerberos 5 Propagation +Wants=network-online.target +After=syslog.target network.target network-online.target +AssertPathExists=/var/kerberos/krb5kdc/kpropd.acl + +[Service] +Type=forking +EnvironmentFile=-/etc/sysconfig/kprop +ExecStart=/usr/sbin/kpropd $KPROPD_ARGS + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/kprop.sysconfig b/SOURCES/kprop.sysconfig new file mode 100644 index 0000000..f43e8bb --- /dev/null +++ b/SOURCES/kprop.sysconfig @@ -0,0 +1 @@ +KPROPD_ARGS= diff --git a/SOURCES/krb5-1.21.3.tar.gz.asc b/SOURCES/krb5-1.21.3.tar.gz.asc new file mode 100644 index 0000000..b720135 --- /dev/null +++ b/SOURCES/krb5-1.21.3.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmZ8eHkACgkQDLoIV1+D +ct//gw//bmvy6zXbKL6epNaExVgRdqzfQWm6WqeyGNxg59BQyJwsRsArsQRbSTZl +uUExbV4HDTI/SemnYT8MfNOUtGZBCcAMYUr79Zmwi9S2pc30ZHIGcOf5E7HvIj6y +ZZUvddoxWvxpruCuJHb9dP4ZUPE0iU2rJnLsXR/H4E574WlrWBjXu3gimLen7+yg +aCLxIvw6lk4f/X8l+aqbK+haWHwMnca+kWSPbmL2iblHVqmoJVEmWhy7/9WjiT5S +5HhDJIObO2qn1pbE1ZTQqfGOfFgOUVxTl2myMxX1RXEDVFzdLDdnoUJRt4o4GG27 +Y0WfLtmN6NisVF91dkl2+F7js+xVI3m9uZnpeccKO2Uq6BQRrfOMWUAHVKMUJZjh +h0GMeTzOhw7qGKitAiuhauyDMMTgMx78bC0DpLYtq24fp7BSvD0jNZnfjUXVCk8D +al9cfxC5m843aKiJ01Of13PziZsTQFz/TUsOrcpx4h7+qY7nldrovkQBiyVbbtn4 +MncYq8d84G/0vsbJ/6ftJ6Y+OL20jyzfC5xgmKtK/y1D987aum2BSudISUCylOOt +j5/KiTRe0rWUjBNtoCjrtw4xlSbygmjuiE/xtcow0CHXDtMjlo8PrDi8W+xccBv2 +zQ2B+e9ywkF4uC/M91s/bVSMkOtxv2JCoUUHOMF4ku5vzKSOhyk= +=TH0A +-----END PGP SIGNATURE----- diff --git a/SOURCES/krb5-krb5kdc.conf b/SOURCES/krb5-krb5kdc.conf new file mode 100644 index 0000000..5160b28 --- /dev/null +++ b/SOURCES/krb5-krb5kdc.conf @@ -0,0 +1 @@ +d /run/krb5kdc 0755 root root diff --git a/SOURCES/krb5-tests b/SOURCES/krb5-tests new file mode 100644 index 0000000..6754f3f --- /dev/null +++ b/SOURCES/krb5-tests @@ -0,0 +1,18 @@ +#!/bin/sh +set -e + +export RPM_PACKAGE_NAME={{ name }} +export RPM_PACKAGE_VERSION={{ version }} +export RPM_PACKAGE_RELEASE={{ release }} +export RPM_ARCH={{ arch }} +export RPM_BUILD_NCPUS="$(getconf _NPROCESSORS_ONLN)" + +testdir="$(mktemp -d)" +trap "rm -rf ${testdir}" EXIT + +build_flags="$(eval "echo $(rpm --eval '%{_smp_mflags}')")" + +mkdir "${testdir}/{{ name }}-tests" +cp -rp /usr/share/{{ name }}-tests/{{ arch }} "${testdir}/{{ name }}-tests/" +make -C "${testdir}/{{ name }}-tests/{{ arch }}/" $build_flags +keyctl session - make -C "${testdir}/{{ name }}-tests/{{ arch }}/" check diff --git a/SOURCES/krb5.conf b/SOURCES/krb5.conf new file mode 100644 index 0000000..5e474d1 --- /dev/null +++ b/SOURCES/krb5.conf @@ -0,0 +1,30 @@ +# To opt out of the system crypto-policies configuration of krb5, remove the +# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. +includedir /etc/krb5.conf.d/ + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt + spake_preauth_groups = edwards25519 + dns_canonicalize_hostname = fallback + qualify_shortname = "" +# default_realm = EXAMPLE.COM + +[realms] +# EXAMPLE.COM = { +# kdc = kerberos.example.com +# admin_server = kerberos.example.com +# } + +[domain_realm] +# .example.com = EXAMPLE.COM +# example.com = EXAMPLE.COM diff --git a/SOURCES/krb5kdc.logrotate b/SOURCES/krb5kdc.logrotate new file mode 100644 index 0000000..cfc4539 --- /dev/null +++ b/SOURCES/krb5kdc.logrotate @@ -0,0 +1,9 @@ +/var/log/krb5kdc.log { + missingok + notifempty + monthly + rotate 12 + postrotate + systemctl reload krb5kdc.service || true + endscript +} diff --git a/SOURCES/krb5kdc.service b/SOURCES/krb5kdc.service new file mode 100644 index 0000000..40e23d6 --- /dev/null +++ b/SOURCES/krb5kdc.service @@ -0,0 +1,14 @@ +[Unit] +Description=Kerberos 5 KDC +Wants=network-online.target +After=syslog.target network.target network-online.target + +[Service] +Type=forking +PIDFile=/run/krb5kdc.pid +EnvironmentFile=-/etc/sysconfig/krb5kdc +ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/krb5kdc.sysconfig b/SOURCES/krb5kdc.sysconfig new file mode 100644 index 0000000..791216d --- /dev/null +++ b/SOURCES/krb5kdc.sysconfig @@ -0,0 +1 @@ +KRB5KDC_ARGS= diff --git a/SOURCES/ksu.pamd b/SOURCES/ksu.pamd new file mode 100644 index 0000000..66f5b2c --- /dev/null +++ b/SOURCES/ksu.pamd @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth include su +account include su +session include su diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec new file mode 100644 index 0000000..0b276bf --- /dev/null +++ b/SPECS/krb5.spec @@ -0,0 +1,4325 @@ +# Set this so that find-lang.sh will recognize the .po files. +%global gettext_domain mit-krb5 +# Guess where the -libs subpackage's docs are going to go. +%define libsdocdir %{?_pkgdocdir:%(echo %{_pkgdocdir} | sed -e s,krb5,krb5-libs,g)}%{!?_pkgdocdir:%{_docdir}/%{name}-libs-%{version}} +# Figure out where the default ccache lives and how we set it. +%global configure_default_ccache_name 1 +%global configured_default_ccache_name KEYRING:persistent:%%{uid} + +# Use baserelease to set the release number! +# +# baserelease is what we have standardized across Fedora and what +# rpmdev-bumpspec knows how to handle. +%global baserelease 2 + +# This should be e.g. beta1 or %%nil +%global pre_release %nil + +%global krb5_release %{baserelease} +%if "x%{?pre_release}" != "x" +%global krb5_release 0.%{baserelease}.%{pre_release} +%global krb5_pre_release -%{pre_release} +%endif + +%global krb5_version_major 1 +%global krb5_version_minor 21 +# For a release without a patch number set to %%nil +%global krb5_version_patch 3 + +%global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor} +%global krb5_version %{krb5_version_major_minor} +%if "x%{?krb5_version_patch}" != "x" +%global krb5_version %{krb5_version_major_minor}.%{krb5_version_patch} +%endif + +# Should be in form 5.0, 6.1, etc. +%global kdbversion 9.0 + +Summary: The Kerberos network authentication system +Name: krb5 +Version: %{krb5_version} +Release: %{krb5_release}%{?dist} + +# rharwood has trust path to signing key and verifies on check-in +Source0: https://web.mit.edu/kerberos/dist/krb5/%{krb5_version_major_minor}/krb5-%{krb5_version}%{?krb5_pre_release}.tar.gz +Source1: https://web.mit.edu/kerberos/dist/krb5/%{krb5_version_major_minor}/krb5-%{krb5_version}%{?krb5_pre_release}.tar.gz.asc + +Source2: kprop.service +Source3: kadmin.service +Source4: krb5kdc.service +Source5: krb5.conf +Source6: kdc.conf +Source7: kadm5.acl +Source8: krb5kdc.sysconfig +Source9: kadmin.sysconfig +Source10: kprop.sysconfig +Source11: ksu.pamd +Source12: krb5kdc.logrotate +Source13: kadmind.logrotate +Source14: krb5-krb5kdc.conf +Source15: %{name}-tests + +Patch0001: 0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch +Patch0002: 0002-downstream-ksu-pam-integration.patch +Patch0003: 0003-downstream-SELinux-integration.patch +Patch0004: 0004-downstream-fix-debuginfo-with-y.tab.c.patch +Patch0005: 0005-downstream-Remove-3des-support.patch +Patch0006: 0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +Patch0007: 0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch +Patch0008: 0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +Patch0009: 0009-downstream-Include-missing-OpenSSL-FIPS-header.patch +Patch0010: 0010-downstream-Do-not-set-root-as-ksu-file-owner.patch +Patch0011: 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch +Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch +Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch +Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch +Patch0015: 0015-Eliminate-old-style-function-declarations.patch +Patch0016: 0016-Replace-ssl.wrap_socket-for-tests.patch +Patch0017: 0017-Fix-unimportant-memory-leaks.patch +Patch0018: 0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE.patch +Patch0019: 0019-Add-request_timeout-configuration-parameter.patch +Patch0020: 0020-Wait-indefinitely-on-KDC-TCP-connections.patch +Patch0021: 0021-Remove-klist-s-defname-global-variable.patch +Patch0022: 0022-Fix-two-unlikely-memory-leaks.patch + +License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision +URL: https://web.mit.edu/kerberos/www/ +BuildRequires: autoconf, bison, make, flex, gawk, gettext, pkgconfig, sed +BuildRequires: gcc, gcc-c++ +BuildRequires: libcom_err-devel, libedit-devel, libss-devel +BuildRequires: gzip, ncurses-devel +BuildRequires: python3, python3-sphinx +BuildRequires: keyutils, keyutils-libs-devel >= 1.5.8 +BuildRequires: libselinux-devel +BuildRequires: pam-devel +BuildRequires: systemd-units +BuildRequires: tcl-devel +BuildRequires: libverto-devel +BuildRequires: openldap-devel +BuildRequires: lmdb-devel +BuildRequires: perl-interpreter + +# For autosetup +BuildRequires: git + +%if 0%{?fedora} > 35 || 0%{?rhel} >= 9 +# Need KDFs. This is the "real" version +BuildRequires: openssl-devel >= 1:3.0.0 +%else +# Need KDFs. This is the backported version +BuildRequires: openssl-devel >= 1:1.1.1d-4 +BuildRequires: openssl-devel < 1:3.0.0 +%endif + +# Enable compilation of optional tests +BuildRequires: resolv_wrapper +BuildRequires: libcmocka-devel + +%description +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of sending passwords over the network in unencrypted form. + +%package devel +Summary: Development files needed to compile Kerberos 5 programs +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: libkadm5%{?_isa} = %{version}-%{release} +Requires: libcom_err-devel +Requires: keyutils-libs-devel, libselinux-devel +Requires: libverto-devel +Provides: krb5-kdb-devel-version = %{kdbversion} +# IPA wants ^ to be a separate symbol because they don't trust package +# managers to match -server and -devel in version. Just go with it. + +%description devel +Kerberos is a network authentication system. The krb5-devel package +contains the header files and libraries needed for compiling Kerberos +5 programs. If you want to develop Kerberos-aware programs, you need +to install this package. + +%package libs +Summary: The non-admin shared libraries used by Kerberos 5 +%if 0%{?fedora} > 35 || 0%{?rhel} >= 9 +Requires: openssl-libs >= 1:3.0.0 +%else +Requires: openssl-libs >= 1:1.1.1d-4 +Requires: openssl-libs < 1:3.0.0 +%endif +Requires: coreutils, gawk, sed +Requires: keyutils-libs >= 1.5.8 +Requires: /etc/crypto-policies/back-ends/krb5.config + +%description libs +Kerberos is a network authentication system. The krb5-libs package +contains the shared libraries needed by Kerberos 5. If you are using +Kerberos, you need to install this package. + +%package server +Summary: The KDC and related programs for Kerberos 5 +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-pkinit%{?_isa} = %{version}-%{release} +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +# we drop files in its directory, but we don't want to own that directory +Requires: logrotate +# we specify /usr/share/dict/words (provided by words) as the default dict_file in kdc.conf +Requires: words +# for run-time, and for parts of the test suite +BuildRequires: libverto-module-base +Requires: libverto-module-base +Requires: libkadm5%{?_isa} = %{version}-%{release} +Provides: krb5-kdb-version = %{kdbversion} + +%description server +Kerberos is a network authentication system. The krb5-server package +contains the programs that must be installed on a Kerberos 5 key +distribution center (KDC). If you are installing a Kerberos 5 KDC, +you need to install this package (in other words, most people should +NOT install this package). + +%package server-ldap +Summary: The LDAP storage plugin for the Kerberos 5 KDC +Requires: %{name}-server%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: libkadm5%{?_isa} = %{version}-%{release} + +%description server-ldap +Kerberos is a network authentication system. The krb5-server package +contains the programs that must be installed on a Kerberos 5 key +distribution center (KDC). If you are installing a Kerberos 5 KDC, +and you wish to use a directory server to store the data for your +realm, you need to install this package. + +%package workstation +Summary: Kerberos 5 programs for use on workstations +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-pkinit%{?_isa} = %{version}-%{release} +Requires: libkadm5%{?_isa} = %{version}-%{release} + +%description workstation +Kerberos is a network authentication system. The krb5-workstation +package contains the basic Kerberos programs (kinit, klist, kdestroy, +kpasswd). If your network uses Kerberos, this package should be +installed on every workstation. + +%package pkinit +Summary: The PKINIT module for Kerberos 5 +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Obsoletes: krb5-pkinit-openssl < %{version}-%{release} +Provides: krb5-pkinit-openssl = %{version}-%{release} + +%description pkinit +Kerberos is a network authentication system. The krb5-pkinit +package contains the PKINIT plugin, which allows clients +to obtain initial credentials from a KDC using a private key and a +certificate. + +%package -n libkadm5 +Summary: Kerberos 5 Administrative libraries +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description -n libkadm5 +Kerberos is a network authentication system. The libkadm5 package +contains only the libkadm5clnt and libkadm5serv shared objects. This +interface is not considered stable. + +%package tests +Summary: Test sources for krb5 build + +# Build dependencies +Requires: coreutils, gawk, sed +Requires: gcc-c++ +Requires: gettext +Requires: libcom_err-devel +Requires: libselinux-devel +Requires: libss-devel +Requires: libverto-devel +Requires: lmdb-devel +Requires: openldap-devel +Requires: pam-devel +Requires: redhat-rpm-config +%if 0%{?fedora} > 35 || 0%{?rhel} >= 9 +Requires: openssl-devel >= 1:3.0.0 +%else +Requires: openssl-devel >= 1:1.1.1d-4 +Requires: openssl-devel < 1:3.0.0 +%endif + +# Test dependencies +Requires: dejagnu +Requires: hostname +Requires: iproute +Requires: keyutils, keyutils-libs-devel >= 1.5.8 +Requires: libcmocka-devel +Requires: libverto-module-base +Requires: logrotate +Requires: net-tools, rpcbind +Requires: perl-interpreter +Requires: procps-ng +Requires: python3-kdcproxy +Requires: python3-pyrad +Requires: resolv_wrapper +Requires: /etc/crypto-policies/back-ends/krb5.config +Requires: words +#Requires: openldap-servers, openldap-clients + +%description tests +FOR TESTING PURPOSE ONLY +Test sources for krb5 build, with pre-defined compilation parameters + +%prep +%autosetup -S git_am -n %{name}-%{version}%{?dashpre} +ln NOTICE LICENSE + +# Generate an FDS-compatible LDIF file. +inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif +cat > '60kerberos.ldif' << EOF +# This is a variation on kerberos.ldif which 389 Directory Server will like. +dn: cn=schema +EOF +grep -Eiv '(^$|^dn:|^changetype:|^add:)' $inldif >> 60kerberos.ldif +touch -r $inldif 60kerberos.ldif + +# Rebuild the configure scripts. +pushd src +autoreconf -fiv +popd + +# Mess with some of the default ports that we use for testing, so that multiple +# builds going on the same host don't step on each other. +cfg="src/util/k5test.py" +LONG_BIT=`getconf LONG_BIT` +PORT=`expr 61000 + $LONG_BIT - 48` +sed -i -e s,61000,`expr "$PORT" + 0`,g $cfg +PORT=`expr 1750 + $LONG_BIT - 48` +sed -i -e s,1750,`expr "$PORT" + 0`,g $cfg +sed -i -e s,1751,`expr "$PORT" + 1`,g $cfg +sed -i -e s,1752,`expr "$PORT" + 2`,g $cfg +PORT=`expr 8888 + $LONG_BIT - 48` +sed -i -e s,8888,`expr "$PORT" - 0`,g $cfg +sed -i -e s,8887,`expr "$PORT" - 1`,g $cfg +sed -i -e s,8886,`expr "$PORT" - 2`,g $cfg +PORT=`expr 7777 + $LONG_BIT - 48` +sed -i -e s,7777,`expr "$PORT" + 0`,g $cfg +sed -i -e s,7778,`expr "$PORT" + 1`,g $cfg + +# Fix kadmind port hard-coded in tests +PORT=`expr 61000 + $LONG_BIT - 48` +sed -i -e \ + "s,params.kadmind_port = 61001;,params.kadmind_port = $((PORT + 1));," \ + src/lib/kadm5/t_kadm5.c + + +%build +# Go ahead and supply tcl info, because configure doesn't know how to find it. +source %{_libdir}/tclConfig.sh +pushd src + +# This should be safe to remove once we have autoconf >= 2.70 +export runstatedir=/run + +# Work out the CFLAGS and CPPFLAGS which we intend to use. +INCLUDES=-I%{_includedir}/et +CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing -fstack-protector-all`" +CPPFLAGS="`echo $DEFINES $INCLUDES`" +%configure \ + CC="%{__cc}" \ + CFLAGS="$CFLAGS" \ + CPPFLAGS="$CPPFLAGS" \ + SS_LIB="-lss" \ + PKCS11_MODNAME="p11-kit-proxy.so" \ + --enable-shared \ + --runstatedir=/run \ + --localstatedir=%{_var}/kerberos \ + --disable-rpath \ + --without-krb5-config \ + --with-system-et \ + --with-system-ss \ + --with-tcl \ + --enable-dns-for-realm \ + --with-ldap \ + --with-dirsrv-account-locking \ + --enable-pkinit \ + --with-crypto-impl=openssl \ + --with-tls-impl=openssl \ + --with-system-verto \ + --with-pam \ + --with-selinux \ + --with-prng-alg=os \ + --with-lmdb \ + || (cat config.log; exit 1) + +# Check we have required features enabled +for x in DNS_LOOKUP DNS_LOOKUP_REALM; do + grep -q "#define KRB5_${x} 1" include/autoconf.h +done + +# Sanity check the KDC_RUN_DIR. +pushd include +make osconf.h +popd +configured_dir=`grep KDC_RUN_DIR include/osconf.h | awk '{print $NF}'` +configured_dir=`eval echo $configured_dir` +if test "$configured_dir" != /run/krb5kdc ; then + echo Failed to configure KDC_RUN_DIR. + exit 1 +fi + +# Build fast, but get better errors if we fail +make %{?_smp_mflags} || make -j1 +popd + +# Build the docs. +make -C src/doc paths.py version.py +cp src/doc/paths.py doc/ +mkdir -p build-man build-html +sphinx-build -a -b man -t pathsubs doc build-man +sphinx-build -a -b html -t pathsubs doc build-html +rm -fr build-html/_sources + +%install +[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT" + +# Sample KDC config files (bundled kdc.conf and kadm5.acl). +mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc +install -pm 600 %{SOURCE6} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/ +install -pm 600 %{SOURCE7} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/ + +# Where per-user keytabs live by default. +mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5/user + +# Default configuration file for everything. +mkdir -p $RPM_BUILD_ROOT/etc +install -pm 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/krb5.conf + +# Default include on this directory +mkdir -p $RPM_BUILD_ROOT/etc/krb5.conf.d +ln -sv /etc/crypto-policies/back-ends/krb5.config $RPM_BUILD_ROOT/etc/krb5.conf.d/crypto-policies + +# Parent of configuration file for list of loadable GSS mechs ("mechs"). This +# location is not relative to sysconfdir, but is hard-coded in g_initialize.c. +mkdir -m 755 -p $RPM_BUILD_ROOT/etc/gss +# Parent of groups of configuration files for a list of loadable GSS mechs +# ("mechs"). This location is not relative to sysconfdir, and is also +# hard-coded in g_initialize.c. +mkdir -m 755 -p $RPM_BUILD_ROOT/etc/gss/mech.d + +# If the default configuration needs to start specifying a default cache +# location, add it now, then fixup the timestamp so that it looks the same. +%if 0%{?configure_default_ccache_name} +export DEFCCNAME="%{configured_default_ccache_name}" +awk '{print} + /^# default_realm/{print " default_ccache_name =", ENVIRON["DEFCCNAME"]}' \ + %{SOURCE5} > $RPM_BUILD_ROOT/etc/krb5.conf +touch -r %{SOURCE5} $RPM_BUILD_ROOT/etc/krb5.conf +grep default_ccache_name $RPM_BUILD_ROOT/etc/krb5.conf +%endif + +# Server init scripts (krb5kdc,kadmind,kpropd) and their sysconfig files. +mkdir -p $RPM_BUILD_ROOT%{_unitdir} +for unit in \ + %{SOURCE4}\ + %{SOURCE3} \ + %{SOURCE2} ; do + # In the past, the init script was supposed to be named after the service + # that the started daemon provided. Changing their names is an + # upgrade-time problem I'm in no hurry to deal with. + install -pm 644 ${unit} $RPM_BUILD_ROOT%{_unitdir} +done +mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir} +install -pm 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_tmpfilesdir}/ +mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/krb5kdc + +mkdir -p $RPM_BUILD_ROOT/etc/sysconfig +for sysconfig in %{SOURCE8} %{SOURCE9} %{SOURCE10} ; do + install -pm 644 ${sysconfig} \ + $RPM_BUILD_ROOT/etc/sysconfig/`basename ${sysconfig} .sysconfig` +done + +# logrotate configuration files +mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d/ +for logrotate in \ + %{SOURCE12} \ + %{SOURCE13} ; do + install -pm 644 ${logrotate} \ + $RPM_BUILD_ROOT/etc/logrotate.d/`basename ${logrotate} .logrotate` +done + +# PAM configuration files. +mkdir -p $RPM_BUILD_ROOT/etc/pam.d/ +for pam in %{SOURCE11} ; do + install -pm 644 ${pam} \ + $RPM_BUILD_ROOT/etc/pam.d/`basename ${pam} .pamd` +done + +# Plug-in directories. +install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth +install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/kdb +install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata + +# The rest of the binaries, headers, libraries, and docs. +%make_install -C src EXAMPLEDIR=%{libsdocdir}/examples + +# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks +# of the buildconf patch already conspire to strip out /usr/ from the +# list of link flags, and it helps prevent file conflicts on multilib systems. +sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config + +# Workaround krb5-config reading too much from LDFLAGS. +# https://bugzilla.redhat.com/show_bug.cgi?id=1997021 +# https://bugzilla.redhat.com/show_bug.cgi?id=2048909 +sed -i -r -e 's/^(LDFLAGS=).*/\1/' $RPM_BUILD_ROOT%{_bindir}/krb5-config + +# Install processed man pages. +for section in 1 5 8 ; do + install -m 644 build-man/*.${section} \ + $RPM_BUILD_ROOT/%{_mandir}/man${section}/ +done + +# I'm tired of warnings about these not having man pages +rm -- "$RPM_BUILD_ROOT/%{_sbindir}/krb5-send-pr" +rm -- "$RPM_BUILD_ROOT/%{_sbindir}/sim_server" +rm -- "$RPM_BUILD_ROOT/%{_sbindir}/gss-server" +rm -- "$RPM_BUILD_ROOT/%{_sbindir}/uuserver" +rm -- "$RPM_BUILD_ROOT/%{_bindir}/sim_client" +rm -- "$RPM_BUILD_ROOT/%{_bindir}/gss-client" +rm -- "$RPM_BUILD_ROOT/%{_bindir}/uuclient" + +# These files are already packaged elsewhere +rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/kdc.conf" +rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/krb5.conf" +rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append" + +# This is only needed for tests +rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so" + +# Generate tests launching script +sed -e 's/{{ name }}/%{name}/g' \ + -e 's/{{ version }}/%{krb5_version}/g' \ + -e 's/{{ release }}/%{krb5_release}/g' \ + -e 's/{{ arch }}/%{_arch}/g' \ + -i %{SOURCE15} +mkdir -p $RPM_BUILD_ROOT%{_libexecdir} +install -pm 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/%{name}-tests-%{_arch} + +# Copy source files from build folder to system data folder +install -pdm 755 $RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch} +pushd src +cp -p --parents -t "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/" \ + $(find . -type f -exec file -i "{}" + \ + | sed -ne 's|^\./\([^:]\+\): \+text/.\+$|\1|p' | grep -Ev '~$') +popd + +# Copy binary test files +install -pm 644 src/tests/pkinit-certs/*.p12 \ + "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/tests/pkinit-certs/" +install -pm 644 src/tests/au_dict.json \ + "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/tests/" + +# Unset executable bit if no shebang in script +for f in $(find "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/" -type f -executable) +do + head -n1 "$f" | grep -Eq '^#!' || chmod a-x "$f" +done + +# Remove broken shebang Perl scripts +rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/config/wconfig.pl" +rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/kadmin/kdbkeys/do-test.pl" + +%find_lang %{gettext_domain} + +%ldconfig_scriptlets libs + +%ldconfig_scriptlets server-ldap + +%post server +%systemd_post krb5kdc.service kadmin.service kprop.service +# assert sanity. A cleaner solution probably exists but it is opaque +/bin/systemctl daemon-reload +exit 0 + +%preun server +%systemd_preun krb5kdc.service kadmin.service kprop.service +exit 0 + +%postun server +%systemd_postun_with_restart krb5kdc.service kadmin.service kprop.service +exit 0 + +%ldconfig_scriptlets -n libkadm5 + +%files workstation +%doc src/config-files/services.append +%doc src/config-files/krb5.conf +%doc build-html/* +%attr(0755,root,root) %doc src/config-files/convert-config-files + +# Clients of the KDC, including tools you're likely to need if you're running +# app servers other than those built from this source package. +%{_bindir}/kdestroy +%{_mandir}/man1/kdestroy.1* +%{_bindir}/kinit +%{_mandir}/man1/kinit.1* +%{_bindir}/klist +%{_mandir}/man1/klist.1* +%{_bindir}/kpasswd +%{_mandir}/man1/kpasswd.1* +%{_bindir}/kswitch +%{_mandir}/man1/kswitch.1* + +%{_bindir}/kvno +%{_mandir}/man1/kvno.1* +%{_bindir}/kadmin +%{_mandir}/man1/kadmin.1* +%{_bindir}/k5srvutil +%{_mandir}/man1/k5srvutil.1* +%{_bindir}/ktutil +%{_mandir}/man1/ktutil.1* + +# Doesn't really fit anywhere else. +%attr(4755,root,root) %{_bindir}/ksu +%{_mandir}/man1/ksu.1* +%config(noreplace) /etc/pam.d/ksu + +%files server +%docdir %{_mandir} +%doc src/config-files/kdc.conf +%{_unitdir}/krb5kdc.service +%{_unitdir}/kadmin.service +%{_unitdir}/kprop.service +%{_tmpfilesdir}/krb5-krb5kdc.conf +%dir %{_localstatedir}/run/krb5kdc +%config(noreplace) /etc/sysconfig/krb5kdc +%config(noreplace) /etc/sysconfig/kadmin +%config(noreplace) /etc/sysconfig/kprop +%config(noreplace) /etc/logrotate.d/krb5kdc +%config(noreplace) /etc/logrotate.d/kadmind + +%dir %{_var}/kerberos +%dir %{_var}/kerberos/krb5kdc +%config(noreplace) %{_var}/kerberos/krb5kdc/kdc.conf +%config(noreplace) %{_var}/kerberos/krb5kdc/kadm5.acl + +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir %{_libdir}/krb5/plugins/preauth +%dir %{_libdir}/krb5/plugins/authdata +%{_libdir}/krb5/plugins/preauth/otp.so +%{_libdir}/krb5/plugins/kdb/db2.so +%{_libdir}/krb5/plugins/kdb/klmdb.so + +# KDC binaries and configuration. +%{_mandir}/man5/kadm5.acl.5* +%{_mandir}/man5/kdc.conf.5* +%{_sbindir}/kadmin.local +%{_mandir}/man8/kadmin.local.8* +%{_sbindir}/kadmind +%{_mandir}/man8/kadmind.8* +%{_sbindir}/kdb5_util +%{_mandir}/man8/kdb5_util.8* +%{_sbindir}/kprop +%{_mandir}/man8/kprop.8* +%{_sbindir}/kpropd +%{_mandir}/man8/kpropd.8* +%{_sbindir}/kproplog +%{_mandir}/man8/kproplog.8* +%{_sbindir}/krb5kdc +%{_mandir}/man8/krb5kdc.8* + +# This is here for people who want to test their server. It was formerly also +# included in -devel. +%{_bindir}/sclient +%{_mandir}/man1/sclient.1* +%{_sbindir}/sserver +%{_mandir}/man8/sserver.8* + +%files server-ldap +%docdir %{_mandir} +%doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif +%doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema +%doc 60kerberos.ldif +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%{_libdir}/krb5/plugins/kdb/kldap.so +%{_libdir}/libkdb_ldap.so +%{_libdir}/libkdb_ldap.so.* +%{_mandir}/man8/kdb5_ldap_util.8.gz +%{_sbindir}/kdb5_ldap_util + +%files libs -f %{gettext_domain}.lang +%doc README NOTICE +%{!?_licensedir:%global license %%doc} +%license LICENSE +%docdir %{_mandir} +# These are hard-coded, not-dependent-on-the-configure-script paths. +%dir /etc/gss +%dir /etc/gss/mech.d +%dir /etc/krb5.conf.d +%config(noreplace) /etc/krb5.conf +%config(noreplace,missingok) /etc/krb5.conf.d/crypto-policies +/%{_mandir}/man5/.k5identity.5* +/%{_mandir}/man5/.k5login.5* +/%{_mandir}/man5/k5identity.5* +/%{_mandir}/man5/k5login.5* +/%{_mandir}/man5/krb5.conf.5* +/%{_mandir}/man7/kerberos.7* +%{_libdir}/libgssapi_krb5.so.* +%{_libdir}/libgssrpc.so.* +%{_libdir}/libk5crypto.so.* +%{_libdir}/libkdb5.so.* +%{_libdir}/libkrad.so.* +%{_libdir}/libkrb5.so.* +%{_libdir}/libkrb5support.so.* +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/* +%{_libdir}/krb5/plugins/tls/k5tls.so +%{_libdir}/krb5/plugins/preauth/spake.so +%dir %{_var}/kerberos +%dir %{_var}/kerberos/krb5 +%dir %{_var}/kerberos/krb5/user + +%files pkinit +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/pkinit.so + +%files devel +%docdir %{_mandir} + +%{_includedir}/* +%{_libdir}/libgssapi_krb5.so +%{_libdir}/libgssrpc.so +%{_libdir}/libk5crypto.so +%{_libdir}/libkdb5.so +%{_libdir}/libkrad.so +%{_libdir}/libkrb5.so +%{_libdir}/libkrb5support.so +%{_libdir}/pkgconfig/* + +%{_bindir}/krb5-config +%{_mandir}/man1/krb5-config.1* + +%files -n libkadm5 +%{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5clnt_mit.so +%{_libdir}/libkadm5srv.so +%{_libdir}/libkadm5srv_mit.so +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* + +%files tests +%{_libexecdir}/%{name}-tests-%{_arch} +%{_datarootdir}/%{name}-tests/%{_arch} + +%changelog +* Fri Jul 12 2024 Julien Rische - 1.21.3-2 +- Do not include files with "~" termination in krb5-tests + Resolves: RHEL-45995 + +* Fri Jul 12 2024 Julien Rische - 1.21.3-1 +- New upstream version (1.21.3) +- CVE-2024-37370 CVE-2024-37371 + Fix vulnerabilities in GSS message token handling + Resolves: RHEL-45387 RHEL-45378 +- Fix memory leak in GSSAPI interface + Resolves: RHEL-47284 +- Fix memory leak in PMAP RPC interface + Resolves: RHEL-47287 +- Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC + Resolves: RHEL-47285 +- Make TCP waiting time configurable + Resolves: RHEL-47278 + +* Mon Jun 24 2024 Troy Dawson - 1.21.2-7 +- Bump release for June 2024 mass rebuild + +* Wed Jun 19 2024 Julien Rische - 1.21.2-6 +- Add missing SPDX license identifiers + Resolves: RHEL-44383 + +* Thu Jan 25 2024 Fedora Release Engineering - 1.21.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 1.21.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jan 17 2024 Julien Rische - 1.21.2-3 +- Fix double free in klist's show_ccache() + Resolves: rhbz#2257301 +- Store krb5-tests files in architecture-specific directories + Resolves: rhbz#2244601 + +* Tue Oct 10 2023 Julien Rische - 1.21.2-2 +- Use SPDX expression for license tag +- Fix unimportant memory leaks + Resolves: rhbz#2223274 + +* Wed Aug 16 2023 Julien Rische - 1.21.2-1 +- New upstream version (1.21.2) +- Fix double-free in KDC TGS processing (CVE-2023-39975) + Resolves: rhbz#2229113 +- Make tests compatible with Python 3.12 + Resolves: rhbz#2224013 + +* Thu Jul 20 2023 Fedora Release Engineering - 1.21-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jun 29 2023 Marek Blaha - 1.21-2 +- Replace file dependency with package name + Resolves: rhbz#2216903 + +* Mon Jun 12 2023 Julien Rische - 1.21-1 +- New upstream version (1.21) +- Do not disable PKINIT if some of the well-known DH groups are unavailable + Resolves: rhbz#2214297 +- Make PKINIT CMS SHA-1 signature verification available in FIPS mode + Resolves: rhbz#2214300 +- Allow to set PAC ticket signature as optional + Resolves: rhbz#2181311 +- Add support for MS-PAC extended KDC signature (CVE-2022-37967) + Resolves: rhbz#2166001 +- Fix syntax error in aclocal.m4 + Resolves: rhbz#2143306 + +* Tue Jan 31 2023 Julien Rische - 1.20.1-9 +- Add support for MS-PAC extended KDC signature (CVE-2022-37967) + Resolves: rhbz#2166001 + +* Mon Jan 30 2023 Julien Rische - 1.20.1-8 +- Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled +- Lazily load MD4/5 from OpenSSL if using RADIUS or RC4 enctype in FIPS mode + +* Thu Jan 19 2023 Fedora Release Engineering - 1.20.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jan 18 2023 Julien Rische - 1.20.1-6 +- Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf +- Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf + Resolves: rhbz#2114771 + +* Mon Jan 09 2023 Julien Rische - 1.20.1-5 +- Strip debugging data from ksu executable file + +* Thu Jan 05 2023 Julien Rische - 1.20.1-4 +- Include missing OpenSSL FIPS header +- Make tests compatible with sssd_krb5_locator_plugin.so + +* Tue Dec 06 2022 Julien Rische - 1.20.1-3 +- Enable TMT integration with Fedora CI + +* Thu Dec 1 2022 Alexander Bokovoy - 1.20.1-2 +- Bump KDB ABI version provide to 9.0 + +* Wed Nov 23 2022 Julien Rische - 1.20.1-1 +- New upstream version (1.20.1) + Resolves: rhbz#2124463 +- Restore "supportedCMSTypes" attribute in PKINIT preauth requests +- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms + Resolves: rhbz#2114766 +- Update error checking for OpenSSL CMS_verify + Resolves: rhbz#2119704 +- Remove invalid password expiry warning + Resolves: rhbz#2129113 + +* Wed Nov 09 2022 Julien Rische - 1.19.2-13 +- Fix integer overflows in PAC parsing (CVE-2022-42898) + Resolves: rhbz#2143011 + +* Tue Aug 02 2022 Andreas Schneider - 1.19.2-12 +- Use baserelease to set the release number +- Do not define netlib, but use autoconf detection for res_* functions +- Add missing BR for resolv_wrapper to run t_discover_uri.py + +* Thu Jul 21 2022 Fedora Release Engineering - 1.19.2-11.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Jun 15 2022 Julien Rische - 1.19.2-11 +- Allow libkrad UDP/TCP connection to localhost in FIPS mode + Resolves: rhbz#2082189 +- Read GSS configuration files with mtime 0 + +* Mon May 2 2022 Julien Rische - 1.19.2-10 +- Use p11-kit as default PKCS11 module + Resolves: rhbz#2073274 +- Try harder to avoid password change replay errors + Resolves: rhbz#2072059 + +* Tue Apr 05 2022 Alexander Bokovoy - 1.19.2-9 +- Fix libkrad client cleanup +- Fixes rhbz#2072059 + +* Tue Apr 05 2022 Alexander Bokovoy - 1.19.2-8 +- Allow use of larger RADIUS attributes in krad library + +* Wed Mar 23 2022 Julien Rische - 1.19.2-7 +- Use SHA-256 instead of SHA-1 for PKINIT CMS digest + +* Tue Feb 8 2022 Zbigniew Jędrzejewski-Szmek - 1.19.2-6 +- Drop old trigger scriplet +- Reenable package notes and strip LDFLAGS from krb5-config (rhbz#2048909) + +* Wed Feb 02 2022 Alexander Bokovoy - 1.19.2-5 +- Temporarily remove package note to unblock krb5-dependent packages + Resolves: rhbz#2048909 + +* Thu Jan 20 2022 Fedora Release Engineering - 1.19.2-4.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Dec 3 2021 Antonio Torres - 1.19.2-4 +- Add patches to support OpenSLL 3.0.0 +- Remove TCL-based libkadm5 API tests + +* Tue Sep 14 2021 Sahana Prasad - 1.19.2-3.1 +- Rebuilt with OpenSSL 3.0.0 + +* Tue Aug 24 2021 Robbie Harwood - 1.19.2-3 +- Remove -specs= from krb5-config output + +* Thu Aug 19 2021 Robbie Harwood - 1.19.2-2 +- Fix KDC null deref on TGS inner body null server (CVE-2021-37750) + +* Mon Jul 26 2021 Robbie Harwood - 1.19.2-1 +- New upstream version (1.19.2) + +* Wed Jul 21 2021 Robbie Harwood - 1.19.1-15 +- Fix defcred leak in krb5 gss_inquire_cred() + +* Mon Jul 12 2021 Robbie Harwood - 1.19.1-14 +- Fix KDC null deref on bad encrypted challenge (CVE-2021-36222) + +* Thu Jul 01 2021 Robbie Harwood - 1.19.1-13 +- Fix use-after-free during krad remote_shutdown() + +* Mon Jun 28 2021 Robbie Harwood - 1.19.1-12 +- MEMORY locking fix and static analysis pullup + +* Mon Jun 21 2021 Robbie Harwood - 1.19.1-11 +- Add the backward-compatible parts of openssl3 support + +* Wed Jun 09 2021 Robbie Harwood - 1.19.1-10 +- Fix three canonicalization cases for fallback + +* Wed Jun 02 2021 Robbie Harwood - 1.19.1-9 +- Fix doc build for Sphinx 4.0 + +* Thu May 20 2021 Robbie Harwood - 1.19.1-8 +- Add all the sssd-kcm workarounds + +* Thu May 20 2021 Robbie Harwood - 1.19.1-7 +- Fix context for previous backport + +* Thu May 20 2021 Robbie Harwood - 1.19.1-6 +- Add KCM_OP_GET_CRED_LIST and KCM_OP_RETRIEVE support + +* Tue May 04 2021 Robbie Harwood - 1.19.1-5 +- Suppress static analyzer warning in FIPS override + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1.19.1-3.1 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Mon Mar 01 2021 Robbie Harwood - 1.19.1-3 +- Further test dependency fixes; no code changes + +* Mon Mar 01 2021 Robbie Harwood - 1.19.1-2 +- Make test dependencies contingent on skipcheck; no code changes + +* Thu Feb 18 2021 Robbie Harwood - 1.19.1-1 +- New upstream version (1.19.1) + +* Wed Feb 17 2021 Robbie Harwood - 1.19-3 +- Restore krb5_set_default_tgs_ktypes() + +* Fri Feb 05 2021 Robbie Harwood - 1.19-2 +- No code change; just coping with reverted autoconf + +* Tue Feb 02 2021 Robbie Harwood - 1.19-1 +- New upstream version (1.19) + +* Thu Jan 28 2021 Robbie Harwood - 1.19-0.beta2.5 +- Support host-based GSS initiator names + +* Thu Jan 28 2021 Robbie Harwood - 1.19-0.beta2.4 +- Require krb5-pkinit from krb5-{server,workstation} + +* Thu Jan 28 2021 Robbie Harwood - 1.19-0.beta2.3 +- Fix up weird mass rebuild versioning + +* Thu Jan 28 2021 Robbie Harwood - 1.19-0.beta2.2.2 +- Add APIs for marshalling credentials + +* Wed Jan 27 2021 Robbie Harwood - 1.19-0.beta2.1.2 +- Cope with new autotools behavior wrt runstatedir + +* Tue Jan 26 2021 Fedora Release Engineering - 1.19-0.beta2.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jan 12 2021 Robbie Harwood - 1.19-1 +- New upstream version (1.19-beta2) + +* Wed Dec 16 2020 Robbie Harwood - 1.19-0.beta1.2 +- New upstream version (1.19-beta1) + +* Wed Dec 16 2020 Robbie Harwood - 1.18.3-5 +- Fix runstatedir configuration +- Why couldn't systemd just leave it alone? + +* Tue Nov 24 2020 Robbie Harwood - 1.18.3-4 +- Document -k option in kvno(1) synopsis + +* Fri Nov 20 2020 Robbie Harwood - 1.18.3-3 +- Upstream executable shared libraries patch + +* Wed Nov 18 2020 Robbie Harwood - 1.18.3-2 +- Fix build failure in -1 + +* Wed Nov 18 2020 Robbie Harwood - 1.18.3-1 +- New upstream version (1.18.3) + +* Tue Nov 17 2020 Robbie Harwood - 1.18.2-30 +- Migrate /var/run to /run, an exercise in pointlessness + Resolves: rhbz#1898410 + +* Thu Nov 05 2020 Robbie Harwood - 1.18.2-29 +- Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196) + +* Fri Oct 23 2020 Robbie Harwood - 1.18.2-28 +- Fix minor static analysis defects + +* Wed Oct 21 2020 Robbie Harwood - 1.18.2-27 +- Fix build of previous + +* Wed Oct 21 2020 Robbie Harwood - 1.18.2-26 +- Cross-realm s4u fixes for samba (rhbz#1836630) + +* Thu Oct 15 2020 Robbie Harwood - 1.18.2-25 +- Unify kvno option documentation + +* Fri Oct 02 2020 Robbie Harwood - 1.18.2-24 +- Add md5 override to krad + +* Thu Sep 10 2020 Robbie Harwood - 1.18.2-23 +- Use `systemctl reload` to HUP the KDC during logrotate + Resolves: rhbz#1877692 + +* Wed Sep 09 2020 Robbie Harwood - 1.18.2-22 +- Fix input length checking in SPNEGO DER decoding + +* Fri Aug 28 2020 Robbie Harwood - 1.18.2-21 +- Mark crypto-polices snippet as missingok + Resolves: rhbz#1868379 + +* Thu Aug 13 2020 Robbie Harwood - 1.18.2-20 +- Temporarily dns_canonicalize_hostname=fallback changes +- Hopefully unbreak IPA while we debug further + +* Fri Aug 07 2020 Robbie Harwood - 1.18.2-19 +- Expand dns_canonicalize_hostname=fallback support + +* Tue Aug 04 2020 Robbie Harwood - 1.18.2-18 +- Fix leak in KERB_AP_OPTIONS_CBT server support + +* Mon Aug 03 2020 Robbie Harwood - 1.18.2-17 +- Revert qualify_shortname removal + +* Mon Aug 03 2020 Robbie Harwood - 1.18.2-16 +- Disable tests on s390x + Resolves: rhbz#1863952 + +* Sat Aug 01 2020 Fedora Release Engineering - 1.18.2-15 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jul 31 2020 Robbie Harwood - 1.18.2-14 +- Revert qualify_shortname changes + +* Tue Jul 28 2020 Fedora Release Engineering - 1.18.2-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 22 2020 Robbie Harwood - 1.18.2-12 +- Ignore bad enctypes in krb5_string_to_keysalts() +- Allow gss_unwrap_iov() of unpadded RC4 tokens + +* Wed Jul 15 2020 Robbie Harwood - 1.18.2-11 +- Ignore bad enctypes in krb5_string_to_keysalts() + +* Wed Jul 08 2020 Robbie Harwood - 1.18.2-10 +- Set qualify_shortname empty in default configuration + Resolves: rhbz#1852041 + +* Mon Jun 15 2020 Robbie Harwood - 1.18.2-9 +- Use two queues for concurrent t_otp.py daemons + +* Mon Jun 15 2020 Robbie Harwood - 1.18.2-8 +- Match Heimdal behavior for channel bindings + +* Mon Jun 08 2020 Robbie Harwood - 1.18.2-7 +- Fix test suite by removing wrapper workarounds + +* Mon Jun 08 2020 Robbie Harwood - 1.18.2-6 +- Omit PA_FOR_USER if we can't compute its checksum + +* Sat May 30 2020 Robbie Harwood - 1.18.2-5 +- Replace gssrpc tests with a Python script + +* Sat May 30 2020 Robbie Harwood - 1.18.2-4 +- Default dns_canonicalize_hostname to "fallback" + +* Tue May 26 2020 Robbie Harwood - 1.18.2-3 +- dns_canonicalize_hostname = fallback + +* Tue May 26 2020 Robbie Harwood - 1.18.2-2 +- Pass channel bindings through SPNEGO + +* Fri May 22 2020 Robbie Harwood - 1.18.2-1 +- New upstream release (1.18.2) + +* Fri May 22 2020 Robbie Harwood - 1.18.1-6 +- Fix SPNEGO acceptor mech filtering + +* Mon May 18 2020 Robbie Harwood - 1.18.1-5 +- Fix typo ("in in") in the ksu man page + +* Fri May 08 2020 Robbie Harwood - 1.18.1-4 +- Omit KDC indicator check for S4U2Self requests + +* Tue Apr 28 2020 Robbie Harwood - 1.18.1-3 +- Pass gss_localname() through SPNEGO + +* Tue Apr 14 2020 Robbie Harwood - 1.18-1.1 +- Drop yasm requirement since we don't use builtin crypto + +* Tue Apr 14 2020 Robbie Harwood - 1.18.1-1 +- New upstream version (1.18.1) + +* Tue Apr 07 2020 Robbie Harwood - 1.18-12 +- Make ksu honor KRB5CCNAME again + +* Thu Apr 02 2020 Robbie Harwood - 1.18-11 +- Do expiration warnings for all init_creds APIs + +* Wed Apr 01 2020 Robbie Harwood - 1.18-10 +- Correctly import "service@" GSS host-based name + +* Thu Mar 26 2020 Robbie Harwood - 1.18-9 +- Eliminate redundant PKINIT responder invocation + +* Thu Mar 26 2020 Robbie Harwood - 1.18-8 +- Add finalization safety check to com_err + +* Fri Mar 20 2020 Robbie Harwood - 1.18-7 +- Add maximum openssl version in preparation for openssl 3 + +* Tue Mar 17 2020 Robbie Harwood - 1.18-6 +- Document client keytab usage + +* Tue Mar 03 2020 Robbie Harwood - 1.18-5 +- Refresh manually acquired creds from client keytab + +* Fri Feb 28 2020 Robbie Harwood - 1.18-4 +- Allow deletion of require_auth with LDAP KDB + +* Thu Feb 27 2020 Robbie Harwood - 1.18-3 +- Allow certauth modules to set hw-authent flag + +* Fri Feb 21 2020 Robbie Harwood - 1.18-2 +- Fix AS-REQ checking of KDB-modified indicators + +* Wed Feb 12 2020 Robbie Harwood - 1.18-1 +- New upstream version (1.18) + +* Fri Feb 07 2020 Robbie Harwood - 1.18-0.beta2.3 +- Don't assume OpenSSL failures are memory errors + +* Thu Feb 06 2020 Robbie Harwood - 1.18-0.beta2.2 +- Put KDB authdata first + +* Fri Jan 31 2020 Robbie Harwood - 1.18-0.beta2.1 +- New upstream beta release - 1.18-beta2 +- Adjust naming convention for downstream patches + +* Fri Jan 10 2020 Robbie Harwood - 1.18-0.beta1.1 +- New upstream beta release - 1.18-beta1 + +* Wed Jan 08 2020 Robbie Harwood - 1.17.1-5 +- Fix LDAP policy enforcement of pw_expiration +- Fix handling of invalid CAMMAC service verifier + +* Mon Jan 06 2020 Robbie Harwood - 1.17.1-4 +- Fix xdr_bytes() strict-aliasing violations + +* Fri Jan 03 2020 Robbie Harwood - 1.17.1-3 +- Don't warn in kadmin when no policy is specified +- Do not always canonicalize enterprise principals + +* Fri Dec 13 2019 Robbie Harwood - 1.17.1-2 +- Enable the LMDB backend for the KDB + +* Thu Dec 12 2019 Robbie Harwood - 1.17.1-1 +- New upstream version - 1.17.1 +- Stop building and packaging PDFs + +* Fri Dec 06 2019 Robbie Harwood - 1.17-54 +- Qualify short hostnames when not using DNS + +* Wed Nov 27 2019 Robbie Harwood - 1.17-53 +- Various gssalloc fixes + +* Thu Nov 21 2019 Robbie Harwood - 1.17-52 +- Turns out openssl has an epoch + +* Wed Nov 20 2019 Robbie Harwood - 1.17-51 +- Fix runtime openssl version to actually propogate + +* Wed Nov 20 2019 Robbie Harwood - 1.17-50 +- Add runtime openssl version requirement too + +* Wed Nov 20 2019 Robbie Harwood - 1.17-49 +- Fix kadmin addprinc -randkey -kvno + +* Tue Nov 19 2019 Robbie Harwood - 1.17-48 +- Use OpenSSL's backported KDFs +- Restore MD4 in FIPS mode (for samba) + +* Fri Nov 08 2019 Robbie Harwood - 1.17-47 +- Add default_principal_flags to example kdc.conf + +* Wed Oct 02 2019 Robbie Harwood - 1.17-46 +- Log unknown enctypes as unsupported in KDC + +* Wed Sep 25 2019 Robbie Harwood - 1.17-45 +- Fix KDC crash when logging PKINIT enctypes (CVE-2019-14844) + +* Thu Sep 12 2019 Robbie Harwood - 1.17-44 +- Static analyzer appeasement + +* Tue Aug 27 2019 Robbie Harwood - 1.17-43 +- Simplify krb5_dbe_def_search_enctype() + +* Thu Aug 22 2019 Robbie Harwood - 1.17-42 +- Update FIPS patches to remove SPAKE + +* Thu Aug 15 2019 Robbie Harwood - 1.17-41 +- Fix KCM client time offset propagation + +* Fri Aug 09 2019 Robbie Harwood - 1.17-40 +- Initialize life/rlife in kdcpolicy interface + +* Tue Aug 06 2019 Robbie Harwood - 1.17-39 +- Fix memory leaks in soft-pkcs11 code + +* Tue Jul 30 2019 Robbie Harwood - 1.17-38 +- Add soft-pkcs11 and use it for testing + +* Thu Jul 25 2019 Fedora Release Engineering - 1.17-37 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jul 18 2019 Robbie Harwood - 1.17-36 +- Filter enctypes in gss_set_allowable_enctypes() + +* Mon Jul 15 2019 Robbie Harwood - 1.17-35 +- Don't error on invalid enctypes in keytab + Resolves: rhbz#1724380 + +* Tue Jul 02 2019 Robbie Harwood - 1.17-34 +- Remove now-unused checksum functions + +* Wed Jun 26 2019 Robbie Harwood - 1.17-33 +- Fix typo in 3des commit + +* Wed Jun 26 2019 Robbie Harwood - 1.17-32 +- Remove PKINIT draft9 support (compat with EOL, pre-2008 Windows) + +* Mon Jun 10 2019 Robbie Harwood - 1.17-31 +- Remove strerror() calls from k5_get_error() + +* Fri Jun 07 2019 Robbie Harwood - 1.17-30 +- Remove 3des from kdc.conf example + +* Mon Jun 03 2019 Robbie Harwood - 1.17-29 +- Remove 3DES support + +* Mon Jun 03 2019 Robbie Harwood - 1.17-28 +- Remove 3des support + +* Thu May 30 2019 Robbie Harwood - 1.17-27 +- Remove krb5int_c_combine_keys() and no-flags SAM-2 preauth + +* Tue May 28 2019 Robbie Harwood - 1.17-26 +- Remove support for single-DES and CRC + +* Wed May 22 2019 Robbie Harwood - 1.17-25 +- Add missing newlines to deprecation warnings +- Switch to upstream's ksu path patch + +* Tue May 21 2019 Robbie Harwood - 1.17-24 +- Update default krb5kdc mkey manual-entry enctype +- Also update account lockout patch to upstream version + +* Mon May 20 2019 Robbie Harwood - 1.17-23 +- Test & docs fixes in preparation for DES removal + +* Wed May 15 2019 Robbie Harwood - 1.17-22 +- Drop krb5_realm_compare() etc. NULL check patches + + +* Wed May 15 2019 Robbie Harwood - 1.17-21 +- Re-provide krb5-kdb-version in -devel as well (IPA wants it) + +* Tue May 14 2019 Robbie Harwood - 1.17-20 +- (Patch consolidation; hopefully no changes) + +* Tue May 14 2019 Robbie Harwood - 1.17-19 +- Remove checksum type profile variables + +* Fri May 10 2019 Robbie Harwood - 1.17-18 +- Pull in 2019-05-02 static analysis updates + +* Fri May 03 2019 Robbie Harwood - 1.17-17 +- Move krb5-kdb-version provide into krb5-server for freeipa + +* Wed May 01 2019 Robbie Harwood - 1.17-16 +- Use secure_getenv() where appropriate + +* Wed Apr 24 2019 Robbie Harwood - 1.17-15 +- Fix us up real nice with rpmlint + +* Wed Apr 24 2019 Robbie Harwood - 1.17-14 +- Add dns_canonicalize_hostname=fallback support + +* Wed Apr 24 2019 Robbie Harwood - 1.17-13 +- Check more errors in OpenSSL crypto backend + +* Mon Apr 22 2019 Robbie Harwood - 1.17-12 +- Fix potential close(-1) in cc_file.c + +* Wed Apr 17 2019 Robbie Harwood - 1.17-11 +- Remove ovsec_adm_export and confvalidator + +* Wed Apr 17 2019 Robbie Harwood - 1.17-10 +- Fix config realm change logic in FILE remove_cred + +* Thu Apr 11 2019 Robbie Harwood - 1.17-9 +- Remove Kerberos v4 support vestiges (including ktany support) + +* Thu Apr 11 2019 Robbie Harwood - 1.17-8 +- Implement krb5_cc_remove_cred for remaining types + Resolves: rhbz#1693836 + +* Mon Apr 01 2019 Robbie Harwood - 1.17-7 +- FIPS-aware SPAKE group negotiation + +* Mon Feb 25 2019 Robbie Harwood - 1.17-6 +- Fix memory leak in 'none' replay cache type +- Silence a coverity warning while we're here. + +* Fri Feb 01 2019 Robbie Harwood - 1.17-5 +- Update FIPS blocking for RC4 + +* Fri Feb 01 2019 Fedora Release Engineering - 1.17-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jan 17 2019 Robbie Harwood - 1.17-3 +- enctype logging and explicit_bzero() + +* Tue Jan 08 2019 Robbie Harwood - 1.17-2 +- New upstream version (1.17) + +* Fri Jan 04 2019 Robbie Harwood - 1.17-1.beta2.6 +- Use openssl's PRNG in FIPS mode + +* Fri Jan 04 2019 Robbie Harwood - 1.17-1.beta2.5 +- Address some optimized-out memset() calls + +* Thu Dec 20 2018 Robbie Harwood - 1.17-1.beta2.4 +- Remove incorrect KDC assertion + +* Thu Dec 20 2018 Robbie Harwood - 1.17-1.beta2.3 +- Fix syntax on pkinit_anchors field in default krb5.conf + +* Mon Dec 17 2018 Robbie Harwood - 1.17-1.beta2.2 +- Restore pdfs source file + Resolves: rhbz#1659716 + +* Thu Dec 06 2018 Robbie Harwood - 1.17-1.beta2.1 +- New upstream release (1.17-beta2) +- Drop pdfs source file + +* Thu Nov 29 2018 Robbie Harwood - 1.17-1.beta1.3 +- Add tests for KCM ccache type + +* Mon Nov 12 2018 Robbie Harwood - 1.17-1.beta1.2 +- Gain FIPS awareness + +* Thu Nov 08 2018 Robbie Harwood - 1.17-1.beta1.1 +- Fix spurious errors from kcmio_unix_socket_write + Resolves: rhbz#1645912 + +* Thu Nov 01 2018 Robbie Harwood - 1.17-0.beta1.1 +- New upstream beta release + +* Wed Oct 24 2018 Robbie Harwood - 1.16.1-25 +- Update man pages to reference kerberos(7) + Resolves: rhbz#1143767 + +* Wed Oct 17 2018 Robbie Harwood - 1.16.1-24 +- Use port-sockets.h macros in cc_kcm, sendto_kdc + Resolves: rhbz#1631998 + +* Wed Oct 17 2018 Robbie Harwood - 1.16.1-23 +- Correct kpasswd_server description in krb5.conf(5) + Resolves: rhbz#1640272 + +* Mon Oct 15 2018 Robbie Harwood - 1.16.1-22 +- Prefer TCP to UDP for password changes + Resolves: rhbz#1637611 + +* Tue Oct 09 2018 Adam Williamson - 1.16.1-21 +- Revert the patch from -20 for now as it seems to make FreeIPA worse + +* Tue Oct 02 2018 Robbie Harwood - 1.16.1-20 +- Fix bugs with concurrent use of MEMORY ccaches + +* Wed Aug 01 2018 Robbie Harwood - 1.16.1-19 +- In FIPS mode, add plaintext fallback for RC4 usages and taint + +* Thu Jul 26 2018 Robbie Harwood - 1.16.1-18 +- Fix k5test prompts for Python 3 + +* Thu Jul 19 2018 Robbie Harwood - 1.16.1-17 +- Remove outdated note in krb5kdc man page + +* Thu Jul 19 2018 Robbie Harwood - 1.16.1-16 +- Make krb5kdc -p affect TCP ports + +* Thu Jul 19 2018 Robbie Harwood - 1.16.1-15 +- Eliminate preprocessor-disabled dead code + +* Wed Jul 18 2018 Robbie Harwood - 1.16.1-14 +- Fix some broken tests for Python 3 + +* Mon Jul 16 2018 Robbie Harwood - 1.16.1-13 +- Zap copy of secret in RC4 string-to-key + +* Thu Jul 12 2018 Robbie Harwood - 1.16.1-12 +- Convert Python tests to Python 3 + +* Wed Jul 11 2018 Robbie Harwood - 1.16.1-11 +- Add build dependency on gcc + +* Tue Jul 10 2018 Robbie Harwood - 1.16.1-10 +- Use SHA-256 instead of MD5 for audit ticket IDs + +* Fri Jul 06 2018 Robbie Harwood - 1.16.1-9 +- Add BuildRequires on python2 so we can run tests at build-time + +* Fri Jul 06 2018 Robbie Harwood - 1.16.1-8 +- Explicitly look for python2 in configure.in + +* Thu Jun 14 2018 Robbie Harwood - 1.16.1-7 +- Add flag to disable encrypted timestamp on client + +* Thu Jun 14 2018 Robbie Harwood - 1.16.1-6 +- Switch to python3-sphinx for docs + Resolves: rhbz#1590928 + +* Thu Jun 14 2018 Robbie Harwood - 1.16.1-5 +- Make docs build python3-compatible + Resolves: rhbz#1590928 + +* Thu Jun 07 2018 Robbie Harwood - 1.16.1-4 +- Update includedir processing to match upstream + +* Fri Jun 01 2018 Robbie Harwood - 1.16.1-3 +- Log when non-root ksu authorization fails + Resolves: rhbz#1575771 + +* Fri May 04 2018 Robbie Harwood - 1.16.1-2 +- Remove "-nodes" option from make-certs scripts + +* Fri May 04 2018 Robbie Harwood - 1.16.1-1 +- New upstream release - 1.16.1 + +* Thu May 03 2018 Robbie Harwood - 1.16-27 +- Fix configuration of default ccache name to match file indentation + +* Mon Apr 30 2018 Robbie Harwood - 1.16-26 +- Set error message on KCM get_princ failure + +* Mon Apr 30 2018 Robbie Harwood - 1.16-25 +- Set error message on KCM get_princ failure + +* Tue Apr 24 2018 Robbie Harwood - 1.16-24 +- Fix KDC null dereference on large TGS replies + +* Mon Apr 23 2018 Robbie Harwood - 1.16-23 +- Explicitly use openssl rather than builtin crypto + Resolves: rhbz#1570910 + +* Tue Apr 17 2018 Robbie Harwood - 1.16-22 +- Merge duplicate subsections in profile library + +* Mon Apr 09 2018 Robbie Harwood - 1.16-21 +- Restrict pre-authentication fallback cases + +* Tue Apr 03 2018 Robbie Harwood - 1.16-20 +- Be more careful asking for AS key in SPAKE client + +* Mon Apr 02 2018 Robbie Harwood - 1.16-19 +- Zap data when freeing krb5_spake_factor + +* Thu Mar 29 2018 Robbie Harwood - 1.16-18 +- Continue after KRB5_CC_END in KCM cache iteration + +* Tue Mar 27 2018 Robbie Harwood - 1.16-17 +- Fix SPAKE memory leak + +* Tue Mar 27 2018 Robbie Harwood - 1.16-16 +- Fix gitignore problem with previous patchset + +* Tue Mar 27 2018 Robbie Harwood - 1.16-15 +- Add SPAKE support +- Improve protections on internal sensitive buffers +- Improve internal hex encoding/decoding + +* Tue Mar 20 2018 Robbie Harwood - 1.16-14 +- Fix problem with ccache_name logic in previous build + +* Tue Mar 20 2018 Robbie Harwood - 1.16-13 +- Add pkinit_anchors default value to krb5.conf +- Reindent krb5.conf to not be terrible + +* Tue Mar 20 2018 Robbie Harwood - 1.16-12 +- Log preauth names in trace output +- Misc bugfixes from upstream + +* Mon Mar 19 2018 Robbie Harwood - 1.16-11 +- Add PKINIT KDC support for freshness token + +* Wed Mar 14 2018 Robbie Harwood - 1.16-10 +- Exit with status 0 from kadmind + +* Tue Mar 13 2018 Robbie Harwood - 1.16-9 +- Fix hex conversion of PKINIT certid strings + +* Wed Mar 07 2018 Robbie Harwood - 1.16-8 +- Fix capaths "." values on client + Resolves: 1551099 + +* Tue Feb 13 2018 Robbie Harwood - 1.16-7 +- Fix flaws in LDAP DN checking +- CVE-2018-5729, CVE-2018-5730 + +* Mon Feb 12 2018 Robbie Harwood - 1.16-6 +- Fix a leak in the previous commit +- Restore dist macro that was accidentally removed + Resolves: rhbz#1540939 + +* Wed Feb 07 2018 Fedora Release Engineering - 1.16-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 1.16-4 +- Switch to %%ldconfig_scriptlets + +* Mon Jan 29 2018 Robbie Harwood - 1.16-3 +- Process included directories in alphabetical order + +* Tue Dec 12 2017 Robbie Harwood - 1.16-2 +- Fix network service dependencies + Resolves: rhbz#1525230 + +* Wed Dec 06 2017 Robbie Harwood - 1.16-1 +- New upstream release (1.16) +- No changes from beta2 + +* Mon Nov 27 2017 Robbie Harwood - 1.16-0.beta2.1 +- New upstream prerelease (1.16-beta2) + +* Tue Oct 24 2017 Robbie Harwood - 1.16-0.beta1.4 +- Fix CVE-2017-15088 (Buffer overflow in get_matching_data()) + +* Mon Oct 23 2017 Robbie Harwood - 1.16-0.beta1.3 +- Drop dependency on python2-pyrad (dead upstream, broken with new python) + +* Mon Oct 09 2017 Robbie Harwood - 1.16-0.beta1.2 +- Actually bump kdbversion like I was supposed to + +* Thu Oct 05 2017 Robbie Harwood - 1.16-0.beta1.1 +- New upstream prerelease (1.16-beta1) + +* Thu Sep 28 2017 Robbie Harwood - 1.15.2-2 +- Add German translation + +* Mon Sep 25 2017 Robbie Harwood - 1.15.2-1 +- New upstream release - krb5-1.15.2 +- Adjust patches as appropriate + +* Wed Sep 06 2017 Robbie Harwood - 1.15.1-28 +- Save other programs from worrying about CVE-2017-11462 + Resolves: rhbz#1488873 + Resolves: rhbz#1488874 + +* Tue Sep 05 2017 Robbie Harwood - 1.15.1-27 +- Add hostname-based ccselect module + Resolves: rhbz#1463665 + +* Tue Sep 05 2017 Robbie Harwood - 1.15.1-26 +- Backport upstream certauth EKU fixes + +* Fri Aug 25 2017 Robbie Harwood - 1.15.1-25 +- Backport certauth eku security fix + +* Mon Aug 21 2017 Robbie Harwood - 1.15.1-24 +- Backport kdc policy plugin, but this time with dependencies + +* Mon Aug 21 2017 Robbie Harwood - 1.15.1-23 +- Backport kdcpolicy interface + +* Wed Aug 16 2017 Robbie Harwood - 1.15.1-22 + +* Mon Aug 07 2017 Robbie Harwood - 1.15.1-21 +- Display an error message if ocsp pkinit is requested + +* Wed Aug 02 2017 Robbie Harwood - 1.15.1-20 +- Disable dns_canonicalize_hostname. This may break some setups. + +* Wed Aug 02 2017 Robbie Harwood - 1.15.1-19 +- Re-enable test suite on ppc64le (no other changes) + +* Wed Jul 26 2017 Fedora Release Engineering - 1.15.1-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jul 20 2017 Robbie Harwood - 1.15.1-17 +- Fix CVE-2017-11368 (remote triggerable assertion failure) + +* Wed Jul 19 2017 Robbie Harwood - 1.15.1-16 +- Explicitly require python2 packages + +* Wed Jul 19 2017 Robbie Harwood - 1.15.1-15 +- Add support to query the SSF of a context +- Pick up rename of perl dependency + +* Thu Jul 06 2017 Robbie Harwood - 1.15.1-14 +- Fix leaks in gss_inquire_cred_by_oid() + +* Mon Jun 26 2017 Robbie Harwood - 1.15.1-13 +- Fix arch name (ppc64le, not ppc64el) +- Related-to: rhbz#1464381 + +* Mon Jun 26 2017 Robbie Harwood - 1.15.1-12 +- Skip test suite on ppc64el +- Related-to: rhbz#1464381 + +* Fri Jun 23 2017 Robbie Harwood - 1.15.1-11 +- Include more test suite changes from upstream + Resolves: rhbz#1464381 + +* Wed Jun 07 2017 Robbie Harwood - 1.15.1-10 +- Fix custom build with -DDEBUG + +* Wed May 24 2017 Robbie Harwood - 1.15.1-9 +- Use standard trigger logic for krb5 snippet + +* Fri Apr 28 2017 Robbie Harwood - 1.15.1-8 +- Add kprop service env config file + +* Wed Apr 19 2017 Robbie Harwood - 1.15.1-7 +- Update backports of certauth and corresponding test + +* Thu Apr 13 2017 Robbie Harwood - 1.15.1-6 +- Include fixes for previous commit + Resolves: rhbz#1433083 + +* Thu Apr 13 2017 Robbie Harwood - 1.15.1-5 +- Automatically add includedir where not present +- Try removing sleep statement to see if it is still needed + Resolves: rhbz#1433083 + +* Fri Apr 07 2017 Robbie Harwood - 1.15.1-4 +- Fix use of enterprise principals with forwarding + +* Wed Mar 22 2017 Robbie Harwood - 1.15.1-3 +- Backport certauth plugin and related pkinit changes + +* Tue Mar 07 2017 Robbie Harwood - 1.15.1-2 +- Remove duplication between subpackages + Resolves: rhbz#1250228 + +* Fri Mar 03 2017 Robbie Harwood - 1.15.1-1 +- New upstream release - 1.15.1 + +* Wed Mar 01 2017 Robbie Harwood - 1.15-9 +- Patch build by disabling failing test; will fix properly soon + +* Fri Feb 17 2017 Robbie Harwood - 1.15-8 +- Hammer refresh around transient rawhide issue + +* Fri Feb 17 2017 Robbie Harwood - 1.15-7 +- Backport fix for GSSAPI fallback realm + +* Tue Feb 07 2017 Robbie Harwood - 1.15-6 +- Move krb5-kdb-version provides from -libs to -devel + +* Fri Jan 20 2017 Robbie Harwood - 1.15-5 +- Add free hook to KDB; increments KDB version +- Add KDB version flag + +* Mon Dec 05 2016 Robbie Harwood - 1.15-4 +- New upstream release + +* Wed Nov 16 2016 Robbie Harwood - 1.15-beta2-3 +- New upstream release + +* Thu Nov 10 2016 Robbie Harwood - 1.15-beta1-2 +- Ensure we can build with the new CFLAGS +- Remove the git versioning in patches + +* Thu Oct 20 2016 Robbie Harwood - 1.15-beta1-1 +- New upstream release +- Update selinux with RHEL hygene + Resolves: rhbz#1314096 + +* Tue Oct 11 2016 Tomáš Mráz - 1.14.4-6 +- rebuild with OpenSSL 1.1.0, added backported upstream patch + +* Fri Sep 30 2016 Robbie Harwood - 1.14.4-5 +- Properly close krad sockets + Resolves: rhbz#1380836 + +* Fri Sep 30 2016 Robbie Harwood - 1.14.4-4 +- Fix backward check in kprop.service + +* Fri Sep 30 2016 Robbie Harwood - 1.14.4-3 +- Switch to using autosetup macro. + - Patches come from git, so it is easiest to just make a git repo + +* Thu Sep 22 2016 Robbie Harwood - 1.14.4-2 +- Backport getrandom() support +- Remove patch numbering + +* Mon Sep 19 2016 Robbie Harwood - 1.14.4-1 +- New upstream release +- Update names and numbers to match external git + +* Mon Sep 19 2016 Robbie Harwood - 1.14.3-9 +- Add krb5_db_register_keytab + Resolves: rhbz#1376812 + +* Mon Aug 29 2016 Robbie Harwood - 1.14.3-8 +- Use responder for non-preauth AS requests + Resolves: rhbz#1370622 + +* Mon Aug 29 2016 Robbie Harwood - 1.14.3-7 +- Guess Samba client mutual flag using ap_option + Resolves: rhbz#1370980 + +* Thu Aug 25 2016 Robbie Harwood - 1.14.3-6 +- Fix KDC return code and set prompt types for OTP client preauth + Resolves: rhbz#1370072 + +* Mon Aug 15 2016 Robbie Harwood - 1.14.3-5 +- Turn OFD locks back on with glibc workaround + Resolves: rhbz#1274922 + +* Wed Aug 10 2016 Robbie Harwood - 1.14.3-4 +- Fix use of KKDCPP with SNI + Resolves: rhbz#1365027 + +* Fri Aug 05 2016 Robbie Harwood - 1.14.3-3 +- Make krb5-devel depend on libkadm5 + Resolves: rhbz#1364487 + +* Wed Aug 03 2016 Robbie Harwood - 1.14.3-2 +- Up-port a bunch of stuff from the el-7.3 cycle + Resolves: rhbz#1255450, rhbz#1314989 + +* Mon Aug 01 2016 Robbie Harwood - 1.14.3-1 +- New upstream version 1.14.3 + +* Thu Jul 28 2016 Robbie Harwood - 1.14.1-9 +- Fix CVE-2016-3120 + Resolves: rhbz#1361051 + +* Wed Jun 22 2016 Robbie Harwood - 1.14.1-8 +- Fix incorrect recv() size calculation in libkrad + +* Thu Jun 16 2016 Robbie Harwood - 1.14.1-7 +- Separate out the kadm5 libs + +* Fri May 27 2016 Robbie Harwood - 1.14.1-6 +- Fix setting of AS key in OTP preauth failure + +* Tue Apr 05 2016 Robbie Harwood - 1.14.1-5 +- Use the correct patches this time. + Resolves: rhbz#1321135 + +* Mon Apr 04 2016 Robbie Harwood - 1.14.1-4 +- Add send/receive sendto_kdc hooks and corresponding tests + Resolves: rhbz#1321135 + +* Fri Mar 18 2016 Robbie Harwood - 1.14.1-3 +- Fix CVE-2016-3119 (NULL deref in LDAP module) + +* Thu Mar 17 2016 Robbie Harwood - 1.14.1-2 +- Backport OID mech fix + Resolves: rhbz#1317609 + +* Mon Feb 29 2016 Robbie Harwood - 1.14.1-1 +- New rawhide, new upstream version +- Drop CVE patches +- Rename fix_interposer.patch to acquire_cred_interposer.patch +- Update acquire_cred_interposer.patch to apply to new source + +* Mon Feb 22 2016 Robbie Harwood - 1.14-23 +- Fix log file permissions patch with our selinux + Resolves: rhbz#1309421 + +* Fri Feb 19 2016 Robbie Harwood - 1.14-22 +- Backport my interposer fixes from upstream + - Supersedes krb5-mechglue_inqure_attrs.patch + +* Tue Feb 16 2016 Robbie Harwood - 1.14-21 +- Adjust dependency on crypto-polices to be just the file we want +- Patch courtesy of lslebodn + Resolves: rhbz#1308984 + +* Thu Feb 04 2016 Fedora Release Engineering - 1.14-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 28 2016 Robbie Harwood - 1.14-19 +- Replace _kadmin/_kprop with systemd macros +- Remove traces of upstart from fedora package per policy + Resolves: rhbz#1290185 + +* Wed Jan 27 2016 Robbie Harwood - 1.14-18 +- Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 + +* Thu Jan 21 2016 Robbie Harwood - 1.14-17 +- Make krb5kdc.log not world-readable by default + Resolves: rhbz#1276484 + +* Thu Jan 21 2016 Robbie Harwood - 1.14-16 +- Allow verification of attributes on krb5.conf + +* Wed Jan 20 2016 Robbie Harwood - 1.14-15 +- Use "new" systemd macros for service handling. (Thanks vpavlin!) + Resolves: rhbz#850399 + +* Wed Jan 20 2016 Robbie Harwood - 1.14-14 +- Remove WITH_NSS macro (always false) +- Remove WITH_SYSTEMD macro (always true) +- Remove WITH_LDAP macro (always true) +- Remove WITH_OPENSSL macro (always true) + +* Fri Jan 08 2016 Robbie Harwood - 1.14-13 +- Backport fix for chrome crash in spnego_gss_inquire_context + Resolves: rhbz#1295893 + +* Wed Dec 16 2015 Robbie Harwood - 1.14-12 +- Backport patch to fix mechglue for gss_inqure_attrs_for_mech() + +* Thu Dec 03 2015 Robbie Harwood - 1.14-11 +- Backport interposer fix (rhbz#1284985) +- Drop workaround pwsize initialization patch (gcc has been fixed) + +* Tue Nov 24 2015 Robbie Harwood - 1.14-10 +- Fix FTBFS by no longer working around bug in nss_wrapper + +* Mon Nov 23 2015 Robbie Harwood - 1.14-9 +- Upstream release. No actual change from beta, just version bump +- Clean up unused parts of spec file + +* Mon Nov 16 2015 Robbie Harwood - 1.14-beta2-8 +- New upstream beta version + +* Wed Nov 04 2015 Robbie Harwood - 1.14-beta1-7 +- Patch CVE-2015-2698 + +* Tue Oct 27 2015 Robbie Harwood - 1.14-beta1-6 +- Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695 + +* Thu Oct 22 2015 Robbie Harwood - 1.14-beta1-5 +- Ensure pwsize is initialized in chpass_util.c + +* Thu Oct 22 2015 Robbie Harwood - 1.14-beta1-4 +- Fix typo of crypto-policies file in previous version + +* Mon Oct 19 2015 Robbie Harwood - 1.14-beta1-3 +- Start using crypto-policies + +* Mon Oct 19 2015 Robbie Harwood - 1.14-beta1-2 +- TEMPORARILY disable usage of OFD locks as a workaround for x86 + +* Thu Oct 15 2015 Robbie Harwood - 1.14-beta1-1 +- New upstream beta version + +* Thu Oct 08 2015 Robbie Harwood - 1.13.2-13 +- Work around KDC client prinicipal in referrals issue (rhbz#1259844) + +* Thu Oct 01 2015 Robbie Harwood - 1.13.2-12 +- Enable building with bad system /etc/krb5.conf + +* Wed Sep 23 2015 Robbie Harwood - 1.13.2-11 +- Drop dependency on pax, ksh +- Remove support for fedora < 20 + +* Wed Sep 23 2015 Robbie Harwood - 1.13.2-10 +- Nix /usr/share/krb5.conf.d to reduce complexity + +* Wed Sep 23 2015 Robbie Harwood - 1.13.2-9 +- Depend on crypto-policies which provides /etc/krb5.conf.d (rhbz#1225792) + +* Thu Sep 10 2015 Robbie Harwood - 1.13.2-8 +- Remove dependency on systemd-sysv which is no longer needed for fedora > 20 + This also fixes a fail-to-build issue. +- Miscalaneous spec cleanup fixes + +* Thu Sep 10 2015 Robbie Harwood - 1.13.2-7 +- Support config snippets in /etc/krb5.conf.d/ and /usr/share/krb5.conf.d/ + (rhbz#1225792, rhbz#1146370, rhbz#1145808) + +* Thu Jun 25 2015 Roland Mainz - 1.13.2-6 +- Use system nss_wrapper and socket_wrapper for testing. + Patch by Andreas Schneider + +* Thu Jun 25 2015 Roland Mainz - 1.13.2-5 +- Remove Zanata test glue and related workarounds + - rhbz#1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind") + - rhbz#1234326 ("krb5-server introduces new rpm dependency on ksh") + +* Thu Jun 18 2015 Roland Mainz - 1.13.2-4 +- Fix dependicy on binfmt.service + +* Wed Jun 17 2015 Fedora Release Engineering - 1.13.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Jun 2 2015 Roland Mainz - 1.13.2-2 +- Add patch to fix Redhat rhbz#1227542 ("[SELinux] AVC denials may appear + when kadmind starts"). The issue was caused by an unneeded |htons()| + which triggered SELinux AVC denials due to the "random" port usage. + +* Thu May 21 2015 Roland Mainz - 1.13.2-1 +- Add fix for RedHat rhbz#1164304 ("Upstream unit tests loads + the installed shared libraries instead the ones from the build") + +* Thu May 14 2015 Roland Mainz - 1.13.2-0 +- Update to krb5-1.13.2 + - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2 + - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2 +- Add script processing for upcoming Zanata l10n support +- Minor spec cleanup + +* Mon May 4 2015 Roland Mainz - 1.13.1-4 +- fix for CVE-2015-2694 (rhbz#1216133) "requires_preauth bypass + in PKINIT-enabled KDC". + In MIT krb5 1.12 and later, when the KDC is configured with + PKINIT support, an unauthenticated remote attacker can + bypass the requires_preauth flag on a client principal and + obtain a ciphertext encrypted in the principal's long-term + key. This ciphertext could be used to conduct an off-line + dictionary attack against the user's password. + +* Wed Mar 25 2015 Roland Mainz - 1.13.1-3 +- Add temporay workaround for RH rhbz#1204646 ("krb5-config + returns wrong -specs path") which modifies krb5-config post + build so that development of krb5 dependicies gets unstuck. + This MUST be removed before rawhide becomes F23 ... + +* Thu Mar 19 2015 Roland Mainz - 1.13.1-2 +- fix for CVE-2014-5355 (rhbz#1193939) "krb5: unauthenticated + denial of service in recvauth_common() and others" + +* Fri Feb 13 2015 Roland Mainz - 1.13.1-1 +- Update to krb5-1.13.1 + - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1 + - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1 + - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1 +- Minor spec cleanup + +* Wed Feb 4 2015 Roland Mainz - 1.13-8 +- fix for CVE-2014-5352 (rhbz#1179856) "gss_process_context_token() + incorrectly frees context (MITKRB5-SA-2015-001)" +- fix for CVE-2014-9421 (rhbz#1179857) "kadmind doubly frees partial + deserialization results (MITKRB5-SA-2015-001)" +- fix for CVE-2014-9422 (rhbz#1179861) "kadmind incorrectly + validates server principal name (MITKRB5-SA-2015-001)" +- fix for CVE-2014-9423 (rhbz#1179863) "libgssrpc server applications + leak uninitialized bytes (MITKRB5-SA-2015-001)" + +* Wed Feb 4 2015 Roland Mainz - 1.13-7 +- Remove "python-sphinx-latex" and "tar" from the build requirements + to fix build failures on F22 machines. +- Minor spec cleanup + +* Mon Feb 02 2015 Nathaniel McCallum - 1.13-6 +- Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063) + +* Mon Jan 26 2015 Roland Mainz - 1.13-5 +- fix for kinit -C loops (rhbz#1184629, MIT/krb5 issue 243, "Do not + loop on principal unknown errors"). +- Added "python-sphinx-latex" to the build requirements + to fix build failures on F22 machines. + +* Thu Dec 18 2014 Roland Mainz - 1.13-4 +- fix for CVE-2014-5354 (rhbz#1174546) "krb5: NULL pointer + dereference when using keyless entries" + +* Wed Dec 17 2014 Roland Mainz - 1.13-3 +- fix for CVE-2014-5353 (rhbz#1174543) "Fix LDAP misused policy + name crash" + +* Wed Oct 29 2014 Roland Mainz - 1.13-2 +- Bump 1%%{?dist} to 2%%{?dist} to workaround RPM sort issue + which would lead yum updates to treat the last alpha as newer + than the final version. + +* Wed Oct 29 2014 Roland Mainz - 1.13-1 +- Update from krb5-1.13-alpha1 to final krb5-1.13 +- Removed patch for CVE-2014-5351 (rhbz#1145425) "krb5: current + keys returned when randomizing the keys for a service principal" - + now part of upstream sources +- Use patch for glibc |eventfd()| prototype mismatch (rhbz#1147887) only + for Fedora > 20 + +* Tue Sep 30 2014 Roland Mainz - 1.13-0.alpha1.3 +- fix build failure caused by change of prototype for glibc + |eventfd()| (rhbz#1147887) + +* Mon Sep 29 2014 Roland Mainz - 1.13-0.alpha1.3 +- fix for CVE-2014-5351 (rhbz#1145425) "krb5: current keys returned when + randomizing the keys for a service principal" + +* Mon Sep 8 2014 Nalin Dahyabhai - 1.13-0.alpha1.3 +- fix the problem where the %%license file has been a dangling symlink + +* Tue Aug 26 2014 Nalin Dahyabhai - 1.13-0.alpha1.2 +- kpropd hasn't bothered with -S since 1.11; stop trying to use that flag + in the systemd unit file + +* Fri Aug 22 2014 Nalin Dahyabhai - 1.13-0.alpha1.1 +- update to 1.13 alpha1 + - drop upstreamed and backported patches + +* Wed Aug 20 2014 Nalin Dahyabhai - 1.12.2-3 +- pull in upstream fix for an incorrect check on the value returned by a + strdup() call (rhbz#1132062) + +* Sun Aug 17 2014 Fedora Release Engineering - 1.12.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Aug 15 2014 Nalin Dahyabhai - 1.12.2-1 +- update to 1.12.2 + - drop patch for RT#7820, fixed in 1.12.2 + - drop patch for rhbz#231147, fixed as RT#3277 in 1.12.2 + - drop patch for RT#7818, fixed in 1.12.2 + - drop patch for RT#7836, fixed in 1.12.2 + - drop patch for RT#7858, fixed in 1.12.2 + - drop patch for RT#7924, fixed in 1.12.2 + - drop patch for RT#7926, fixed in 1.12.2 + - drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2 + - drop patch for CVE-2014-4343, included in 1.12.2 + - drop patch for CVE-2014-4344, included in 1.12.2 + - drop patch for CVE-2014-4345, included in 1.12.2 +- replace older proposed changes for ksu with backports of the changes + after review and merging upstream (rhbz#1015559, rhbz#1026099, rhbz#1118347) + +* Thu Aug 7 2014 Nalin Dahyabhai - 1.12.1-14 +- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345) + +* Mon Jul 21 2014 Nalin Dahyabhai - 1.12.1-13 +- gssapi: pull in upstream fix for a possible NULL dereference + in spnego (CVE-2014-4344) + +* Wed Jul 16 2014 Nalin Dahyabhai - 1.12.1-12 +- gssapi: pull in proposed fix for a double free in initiators (David + Woodhouse, CVE-2014-4343, rhbz#1117963) + +* Sat Jul 12 2014 Tom Callaway - 1.12.1-11 +- fix license handling + +* Mon Jul 7 2014 Nalin Dahyabhai - 1.12.1-10 +- pull in fix for denial of service by injection of malformed GSSAPI tokens + (CVE-2014-4341, CVE-2014-4342, rhbz#1116181) + +* Tue Jun 24 2014 Nalin Dahyabhai - 1.12.1-9 +- pull in changes from upstream which add processing of the contents of + /etc/gss/mech.d/*.conf when loading GSS modules (rhbz#1102839) + +* Thu Jun 12 2014 Nalin Dahyabhai - 1.12.1-8 +- pull in fix for building against tcl 8.6 (rhbz#1107061) + +* Sun Jun 08 2014 Fedora Release Engineering - 1.12.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Mar 04 2014 Nathaniel McCallum - 1.12.1-6 +- Backport fix for change password requests when using FAST (RT#7868) + +* Mon Feb 17 2014 Nalin Dahyabhai - 1.12.1-5 +- spnego: pull in patch from master to restore preserving the OID of the + mechanism the initiator requested when we have multiple OIDs for the same + mechanism, so that we reply using the same mechanism OID and the initiator + doesn't get confused (rhbz#1066000, RT#7858) + +* Fri Feb 7 2014 Nalin Dahyabhai - 1.12.1-4 +- pull in patch from master to move the default directory which the KDC uses + when computing the socket path for a local OTP daemon from the database + directory (/var/kerberos/krb5kdc) to the newly-added run directory + (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859, more + of rhbz#1040056 as rhbz#1063905) +- add a tmpfiles.d configuration file to have /run/krb5kdc created at + boot-time +- own /var/run/krb5kdc + +* Fri Jan 31 2014 Nalin Dahyabhai - 1.12.1-3 +- refresh nss_wrapper and add socket_wrapper to the %%check environment + +* Fri Jan 31 2014 Nalin Dahyabhai +- add currently-proposed changes to teach ksu about credential cache + collections and the default_ccache_name setting (rhbz#1015559,rhbz#1026099) + +* Tue Jan 21 2014 Nalin Dahyabhai - 1.12.1-2 +- pull in multiple changes to allow replay caches to be added to a GSS + credential store as "rcache"-type credentials (RT#7818/rhbz#7819/rhbz#7836, + rhbz#1056078/rhbz#1056080) + +* Fri Jan 17 2014 Nalin Dahyabhai - 1.12.1-1 +- update to 1.12.1 + - drop patch for RT#7794, included now + - drop patch for RT#7797, included now + - drop patch for RT#7803, included now + - drop patch for RT#7805, included now + - drop patch for RT#7807, included now + - drop patch for RT#7045, included now + - drop patches for RT#7813 and RT#7815, included now + - add patch to always retrieve the KDC time offsets from keyring caches, + so that we don't mistakenly interpret creds as expired before their + time when our clock is ahead of the KDC's (RT#7820, rhbz#1030607) + +* Mon Jan 13 2014 Nalin Dahyabhai - 1.12-11 +- update the PIC patch for iaesx86.s to not use ELF relocations to the version + that landed upstream (RT#7815, rhbz#1045699) + +* Thu Jan 9 2014 Nalin Dahyabhai +- pass -Wl,--warn-shared-textrel to the compiler when we're creating shared + libraries + +* Thu Jan 9 2014 Nalin Dahyabhai - 1.12-10 +- amend the PIC patch for iaesx86.s to also save/restore ebx in the + functions where we modify it, because the ELF spec says we need to + +* Mon Jan 6 2014 Nalin Dahyabhai - 1.12-9 +- grab a more-commented version of the most recent patch from upstream + master +- make a guess at making the 32-bit AES-NI implementation sufficiently + position-independent to not require execmod permissions for libk5crypto + (more of rhbz#1045699) + +* Thu Jan 2 2014 Nalin Dahyabhai - 1.12-8 +- add patch from Dhiru Kholia for the AES-NI implementations to allow + libk5crypto to be properly marked as not needing an executable stack + on arches where they're used (rhbz#1045699, and so many others) + +* Thu Jan 2 2014 Nalin Dahyabhai - 1.12-7 +- revert that last change for a bit while sorting out execstack when we + use AES-NI (rhbz#1045699) + +* Thu Dec 19 2013 Nalin Dahyabhai - 1.12-6 +- add yasm as a build requirement for AES-NI support, on arches that have + yasm and AES-NI + +* Thu Dec 19 2013 Nalin Dahyabhai - 1.12-5 +- pull in fix from master to make reporting of errors encountered by + the SPNEGO mechanism work better (RT#7045, part of rhbz#1043962) + +* Thu Dec 19 2013 Nalin Dahyabhai +- update a test wrapper to properly handle things that the new libkrad does, + and add python-pyrad as a build requirement so that we can run its tests + +* Wed Dec 18 2013 Nalin Dahyabhai - 1.12-4 +- revise previous patch to initialize one more element + +* Wed Dec 18 2013 Nalin Dahyabhai - 1.12-3 +- backport fixes to krb5_copy_context (RT#7807, rhbz#1044735/rhbz#1044739) + +* Wed Dec 18 2013 Nalin Dahyabhai - 1.12-2 +- pull in fix from master to return a NULL pointer rather than allocating + zero bytes of memory if we read a zero-length input token (RT#7794, part of + rhbz#1043962) +- pull in fix from master to ignore an empty token from an acceptor if + we've already finished authenticating (RT#7797, part of rhbz#1043962) +- pull in fix from master to avoid a memory leak when a mechanism's + init_sec_context function fails (RT#7803, part of rhbz#1043962) +- pull in fix from master to avoid a memory leak in a couple of error + cases which could occur while obtaining acceptor credentials (RT#7805, part + of rhbz#1043962) + +* Wed Dec 11 2013 Nalin Dahyabhai - 1.12-1 +- update to 1.12 final + +* Mon Dec 2 2013 Nalin Dahyabhai - 1.12-beta2.0 +- update to beta2 + - drop obsolete backports for storing KDC time offsets and expiration times + in keyring credential caches + +* Tue Nov 19 2013 Nalin Dahyabhai - 1.12-beta1.0 +- rebase to master +- update to beta1 + - drop obsolete backport of fix for RT#7706 + +* Mon Nov 18 2013 Nalin Dahyabhai - 1.11.4-2 +- pull in fix to store KDC time offsets in keyring credential caches (RT#7768, + rhbz#1030607) +- pull in fix to set expiration times on credentials stored in keyring + credential caches (RT#7769, rhbz#1031724) + +* Tue Nov 12 2013 Nalin Dahyabhai - 1.11.4-1 +- update to 1.11.4 + - drop patch for RT#7650, obsoleted + - drop patch for RT#7706, obsoleted as RT#7723 + - drop patch for CVE-2013-1418/CVE-2013-6800, included in 1.11.4 + +* Tue Nov 12 2013 Nalin Dahyabhai - 1.11.3-31 +- switch to the simplified version of the patch for rhbz#1029110 (RT#7764) + +* Mon Nov 11 2013 Nalin Dahyabhai - 1.11.3-30 +- check more thoroughly for errors when resolving KEYRING ccache names of type + "persistent", which should only have a numeric UID as the next part of the + name (rhbz#1029110) + +* Tue Nov 5 2013 Nalin Dahyabhai - 1.11.3-29 +- incorporate upstream patch for remote crash of KDCs which serve multiple + realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, + rhbz#1026997/rhbz#1031501) + +* Mon Nov 4 2013 Nalin Dahyabhai - 1.11.3-28 +- drop patch to add additional access() checks to ksu - they add to breakage + when non-FILE: caches are in use (rhbz#1026099), shouldn't be resulting in any + benefit, and clash with proposed changes to fix its cache handling + +* Tue Oct 22 2013 Nalin Dahyabhai - 1.11.3-27 +- add some minimal description to the top of the wrapper scripts we use + when starting krb5kdc and kadmind to describe why they exist (tooling) + +* Thu Oct 17 2013 Nalin Dahyabhai - 1.12-alpha1.0 +- initial update to alpha1 + - drop backport of persistent keyring support + - drop backport for RT#7689 + - drop obsolete patch for fixing a use-before-init in a test program + - drop obsolete patch teaching config.guess/config.sub about aarch64-linux + - drop backport for RT#7598 + - drop backport for RT#7172 + - drop backport for RT#7642 + - drop backport for RT#7643 + - drop patches from master to not test GSSRPC-over-UDP and to not + depend on the portmapper, which are areas where our build systems + often give us trouble, too; obsolete + - drop backports for RT#7682 + - drop backport for RT#7709 + - drop backport for RT#7590 and partial backport for RT#7680 + - drop OTP backport + - drop backports for RT#7656 and RT#7657 +- BuildRequires: libedit-devel to prefer it +- BuildRequires: pkgconfig, since configure uses it + +* Wed Oct 16 2013 Nalin Dahyabhai - 1.11.3-26 +- create and own /etc/gss (rhbz#1019937) + +* Tue Oct 15 2013 Nalin Dahyabhai - 1.11.3-25 +- pull up fix for importing previously-exported credential caches in the + gssapi library (RT# 7706, rhbz#1019420) + +* Mon Oct 14 2013 Nalin Dahyabhai - 1.11.3-24 +- backport the callback to use the libkrb5 prompter when we can't load PEM + files for PKINIT (RT#7590, includes part of rhbz#965721/rhbz#1016690) +- extract the rest of the fix rhbz#965721/rhbz#1016690 from the changes for RT#7680 + +* Mon Oct 14 2013 Nalin Dahyabhai - 1.11.3-23 +- fix trigger scriptlet's invocation of sed (rhbz#1016945) + +* Fri Oct 4 2013 Nalin Dahyabhai - 1.11.3-22 +- rebuild with keyutils 1.5.8 (part of rhbz#1012043) + +* Wed Oct 2 2013 Nalin Dahyabhai - 1.11.3-21 +- switch to the version of persistent-keyring that was just merged to + master (RT#7711), along with related changes to kinit (RT#7689) +- go back to setting default_ccache_name to a KEYRING type + +* Mon Sep 30 2013 Nalin Dahyabhai - 1.11.3-20 +- pull up fix for not calling a kdb plugin's check-transited-path + method before calling the library's default version, which only knows + how to read what's in the configuration file (RT#7709, rhbz#1013664) + +* Thu Sep 26 2013 Nalin Dahyabhai - 1.11.3-19 +- configure --without-krb5-config so that we don't pull in the old default + ccache name when we want to stop setting a default ccache name at configure- + time + +* Wed Sep 25 2013 Nalin Dahyabhai - 1.11.3-18 +- fix broken dependency on awk (should be gawk, rdieter) + +* Wed Sep 25 2013 Nalin Dahyabhai - 1.11.3-17 +- add missing dependency on newer keyutils-libs (rhbz#1012034) + +* Tue Sep 24 2013 Nalin Dahyabhai - 1.11.3-16 +- back out setting default_ccache_name to the new default for now, resetting + it to the old default while the kernel/keyutils bits get sorted (sgallagh) + +* Mon Sep 23 2013 Nalin Dahyabhai - 1.11.3-15 +- add explicit build-time dependency on a version of keyutils that's new + enough to include keyctl_get_persistent() (more of rhbz#991148) + +* Thu Sep 19 2013 Nalin Dahyabhai - 1.11.3-14 +- incorporate Simo's updated backport of his updated persistent-keyring changes + (more of rhbz#991148) + +* Fri Sep 13 2013 Nalin Dahyabhai - 1.11.3-13 +- don't break during %%check when the session keyring is revoked + +* Fri Sep 13 2013 Nalin Dahyabhai - 1.11.3-12 +- pull the newer F21 defaults back to F20 (sgallagh) + +* Mon Sep 9 2013 Nalin Dahyabhai +- only apply the patch to autocreate /run/user/0 when we're hard-wiring the + default ccache location to be under it; otherwise it's unnecessary + +* Mon Sep 9 2013 Nalin Dahyabhai 1.11.3-11 +- don't let comments intended for one scriptlet become part of the "script" + that gets passed to ldconfig as part of another one (Mattias Ellert, rhbz#1005675) + +* Fri Sep 6 2013 Nalin Dahyabhai 1.11.3-10 +- incorporate Simo's backport of his persistent-keyring changes (rhbz#991148) +- restore build-time default DEFCCNAME on Fedora 21 and later and EL, and + instead set default_ccache_name in the default krb5.conf's [libdefaults] + section (rhbz#991148) +- on releases where we expect krb5.conf to be configured with a + default_ccache_name, add it whenever we upgrade from an older version of + the package that wouldn't have included it in its default configuration + file (rhbz#991148) + +* Fri Aug 23 2013 Nalin Dahyabhai 1.11.3-9 +- take another stab at accounting for UnversionedDocdirs for the -libs + subpackage (spotted by ssorce) +- switch to just the snapshot of nss_wrapper we were using, since we + no longer need to carry anything that isn't in the cwrap.org repository + (ssorce) + +* Thu Aug 15 2013 Nalin Dahyabhai 1.11.3-8 +- drop a patch we weren't not applying (build tooling) +- wrap kadmind and kpropd in scripts which check for the presence/absence + of files which dictate particular exit codes before exec'ing the actual + binaries, instead of trying to use ConditionPathExists in the unit files + to accomplish that, so that we exit with failure properly when what we + expect isn't actually in effect on the system (rhbz#800343) + +* Mon Jul 29 2013 Nalin Dahyabhai 1.11.3-7 +- attempt to account for UnversionedDocdirs for the -libs subpackage + +* Fri Jul 26 2013 Nalin Dahyabhai 1.11.3-6 +- tweak configuration files used during tests to try to reduce the number + of conflicts encountered when builds for multiple arches land on the same + builder + +* Mon Jul 22 2013 Nalin Dahyabhai 1.11.3-5 +- pull up changes to allow GSSAPI modules to provide more functions + (RT#7682, rhbz#986564/rhbz#986565) + +* Fri Jul 19 2013 Nalin Dahyabhai 1.11.3-4 +- use (a bundled, for now, copy of) nss_wrapper to let us run some of the + self-tests at build-time in more places than we could previously (rhbz#978756) +- cover inconsistencies in whether or not there's a local caching nameserver + that's willing to answer when the build environment doesn't have a + resolver configuration, so that nss_wrapper's faking of the local + hostname can be complete + +* Mon Jul 1 2013 Nalin Dahyabhai 1.11.3-3 +- specify dependencies on the same arch of krb5-libs by using the %%{?_isa} + suffix, to avoid dragging 32-bit libraries onto 64-bit systems (rhbz#980155) + +* Thu Jun 13 2013 Nalin Dahyabhai 1.11.3-2 +- special-case /run/user/0, attempting to create it when resolving a + directory cache below it fails due to ENOENT and we find that it doesn't + already exist, either, before attempting to create the directory cache + (maybe helping, maybe just making things more confusing for rhbz#961235) + +* Tue Jun 4 2013 Nalin Dahyabhai 1.11.3-1 +- update to 1.11.3 + - drop patch for RT#7605, fixed in this release + - drop patch for CVE-2002-2443, fixed in this release + - drop patch for RT#7369, fixed in this release +- pull upstream fix for breaking t_skew.py by adding the patch for rhbz#961221 + +* Fri May 31 2013 Nalin Dahyabhai 1.11.2-10 +- respin with updated version of patch for RT#7650 (rhbz#969331) + +* Thu May 30 2013 Nalin Dahyabhai 1.11.2-9 +- don't forget to set the SELinux label when creating the directory for + a DIR: ccache +- pull in proposed fix for attempts to get initial creds, which end up + following referrals, incorrectly trying to always use master KDCs if + they talked to a master at any point (should fix RT#7650) + +* Thu May 30 2013 Nalin Dahyabhai 1.11.2-8 +- pull in patches from master to not test GSSRPC-over-UDP and to not + depend on the portmapper, which are areas where our build systems + often give us trouble, too + +* Tue May 28 2013 Nalin Dahyabhai 1.11.2-7 +- backport fix for not being able to verify the list of transited realms + in GSS acceptors (RT#7639, rhbz#959685) +- backport fix for not being able to pass an empty password to the + get-init-creds APIs and have them actually use it (RT#7642, rhbz#960001) +- add backported proposed fix to use the unauthenticated server time + as the basis for computing the requested credential expiration times, + rather than the client's idea of the current time, which could be + significantly incorrect (rhbz#961221) + +* Tue May 21 2013 Nalin Dahyabhai 1.11.2-6 +- pull in upstream fix to start treating a KRB5CCNAME value that begins + with DIR:: the same as it would a DIR: value with just one ccache file + in it (RT#7172, rhbz#965574) + +* Mon May 13 2013 Nalin Dahyabhai 1.11.2-5 +- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, + rhbz#962531,rhbz#962534) + +* Mon Apr 29 2013 Nathaniel McCallum 1.11.2-4 +- Update otp patches +- Merge otp patches into a single patch +- Add keycheck patch + +* Tue Apr 23 2013 Nalin Dahyabhai 1.11.2-3 +- pull the changing of the compiled-in default ccache location to + DIR:/run/user/%%{uid}/krb5cc back into F19, in line with SSSD and + the most recent pam_krb5 build + +* Wed Apr 17 2013 Nalin Dahyabhai 1.11.2-2 +- correct some configuration file paths which the KDC_DIR patch missed + +* Mon Apr 15 2013 Nalin Dahyabhai 1.11.2-1 +- update to 1.11.2 + - drop pulled in patch for RT#7586, included in this release + - drop pulled in patch for RT#7592, included in this release +- pull in fix for keeping track of the message type when parsing FAST requests + in the KDC (RT#7605, rhbz#951843) (also rhbz#951965) + +* Fri Apr 12 2013 Nalin Dahyabhai 1.11.1-9 +- move the compiled-in default ccache location from the previous default of + FILE:/tmp/krb5cc_%%{uid} to DIR:/run/user/%%{uid}/krb5cc (part of rhbz#949588) + +* Tue Apr 09 2013 Nathaniel McCallum - 1.11.1-8 +- Update otp backport patches (libk5radius => libkrad) + +* Wed Apr 3 2013 Nalin Dahyabhai 1.11.1-7 +- when testing the RPC library, treat denials from the local portmapper the + same as a portmapper-not-running situation, to allow other library tests + to be run while building the package + +* Thu Mar 28 2013 Nalin Dahyabhai 1.11.1-6 +- create and own /var/kerberos/krb5/user instead of /var/kerberos/kdc/user, + since that's what the libraries actually look for +- add buildrequires on nss-myhostname, in an attempt to get more of the tests + to run properly during builds +- pull in Simo's patch to recognize "client_keytab" as a key type which can + be passed in to gss_acquire_cred_from() (RT#7598) + +* Tue Mar 26 2013 Nalin Dahyabhai 1.11.1-5 +- pull up Simo's patch to mark the correct mechanism on imported GSSAPI + contexts (RT#7592) +- go back to using reconf to run autoconf and autoheader (part of rhbz#925640) +- add temporary patch to use newer config.guess/config.sub (more of rhbz#925640) + +* Mon Mar 18 2013 Nalin Dahyabhai +- fix a version comparison to expect newer texlive build requirements when + %%{_rhel} > 6 rather than when it's > 7 + +* Mon Mar 11 2013 Nathaniel McCallum 1.11.1-4 +- Add libverto-devel requires for krb5-devel +- Add otp support + +* Thu Feb 28 2013 Nalin Dahyabhai 1.11.1-3 +- fix a memory leak when acquiring credentials using a keytab (RT#7586, rhbz#911110) + +* Wed Feb 27 2013 Nalin Dahyabhai 1.11.1-2 +- prebuild PDF docs to reduce multilib differences (internal tooling, rhbz#884065) +- drop the kerberos-iv portreserve file, and drop the rest on systemd systems +- escape uses of macros in comments (more of rhbz#884065) + +* Mon Feb 25 2013 Nalin Dahyabhai 1.11.1-1 +- update to 1.11.1 + - drop patch for noticing negative timeouts being passed to the poll() + wrapper in the client transmit functions + +* Fri Feb 8 2013 Nalin Dahyabhai 1.11-2 +- set "rdns = false" in the default krb5.conf (rhbz#908323,rhbz#908324) + +* Tue Dec 18 2012 Nalin Dahyabhai 1.11-1 +- update to 1.11 release + +* Thu Dec 13 2012 Nalin Dahyabhai 1.11-0.beta2.0 +- update to 1.11 beta 2 + +* Thu Dec 13 2012 Nalin Dahyabhai +- when building with our bundled copy of libverto, package it in with -libs + rather than with -server (rhbz#886049) + +* Wed Nov 21 2012 Nalin Dahyabhai 1.11-0.beta1.0 +- update to 1.11 beta 1 + +* Fri Nov 16 2012 Nalin Dahyabhai 1.11-0.alpha1.1 +- handle releases where texlive packaging wasn't yet as complicated as it + is in Fedora 18 +- fix an uninitialized-variable error building one of the test programs + +* Fri Nov 16 2012 Nalin Dahyabhai 1.11-0.alpha1.0 +- move the rather large pile of html and pdf docs to -workstation, so + that just having something that links to the libraries won't drag + them onto a system, and we avoid having to sort out hard-coded paths + that include %%{_libdir} showing up in docs in multilib packages +- actually create %%{_var}/kerberos/kdc/user, so that it can be packaged +- correct the list of packaged man pages +- don't dummy up required tex stylesheets, require them +- require pdflatex and makeindex + +* Thu Nov 15 2012 Nalin Dahyabhai +- update to 1.11 alpha 1 + - drop backported patch for RT rhbz#7406 + - drop backported patch for RT rhbz#7407 + - drop backported patch for RT rhbz#7408 + - the new docs system generates PDFs, so stop including them as sources + - drop backported patch to allow deltat.y to build with the usual + warning flags and the current gcc + - drop backported fix for disabling use of a replay cache when verifying + initial credentials + - drop backported fix for teaching PKINIT clients which trust the KDC's + certificate directly to verify signed-data messages that are signed with + the KDC's certificate, when the blobs don't include a copy of the KDC's + certificate + - drop backported patches to make keytab-based authentication attempts + work better when the client tells the KDC that it supports a particular + cipher, but doesn't have a key for it in the keytab + - drop backported fix for avoiding spurious clock skew when a TGT is + decrypted long after the KDC sent it to the client which decrypts it + - move the cross-referenced HTML docs into the -libs package to avoid + broken internal links + - drop patches to fixup paths in man pages, shouldn't be needed any more + +* Wed Oct 17 2012 Nalin Dahyabhai 1.10.3-7 +- tag a couple of other patches which we still need to be applied during + %%{?_rawbuild} builds (zmraz) + +* Tue Sep 25 2012 Nalin Dahyabhai 1.10.3-6 +- actually pull up the patch for RT#7063, and not some other ticket (rhbz#773496) + +* Mon Sep 10 2012 Nalin Dahyabhai 1.10.3-5 +- add patch based on one from Filip Krska to not call poll() with a negative + timeout when the caller's intent is for us to just stop calling it (rhbz#838548) + +* Fri Sep 7 2012 Nalin Dahyabhai +- on EL6, conflict with libsmbclient before 3.5.10-124, which is when it + stopped linking with a symbol which we no longer export (rhbz#771687) +- pull up patch for RT#7063, in which not noticing a prompt for a long + time throws the client library's idea of the time difference between it + and the KDC really far out of whack (rhbz#773496) +- add a backport of more patches to set the client's list of supported enctypes + when using a keytab to be the list of types of keys in the keytab, plus the + list of other types the client supports but for which it doesn't have keys, + in that order, so that KDCs have a better chance of being able to issue + tickets with session keys of types that the client can use (rhbz#837855) + +* Thu Sep 6 2012 Nalin Dahyabhai 1.10.3-4 +- cut down the number of times we load SELinux labeling configuration from + a minimum of two times to actually one (more of rhbz#845125) + +* Thu Aug 30 2012 Nalin Dahyabhai 1.10.3-3 +- backport patch to disable replay detection in krb5_verify_init_creds() + while reading the AP-REQ that's generated in the same function (RT#7229) + +* Thu Aug 30 2012 Nalin Dahyabhai 1.10.3-2 +- undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6 +- version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename +- reintroduce the init scripts for non-systemd releases +- forward-port %%{?_rawbuild} annotations from EL6 packaging + +* Thu Aug 9 2012 Nalin Dahyabhai 1.10.3-1 +- update to 1.10.3, rolling in the fixes from MITKRB5-SA-2012-001 + +* Thu Aug 2 2012 Nalin Dahyabhai 1.10.2-7 +- selinux: hang on to the list of selinux contexts, freeing and reloading + it only when the file we read it from is modified, freeing it when the + shared library is being unloaded (rhbz#845125) + +* Thu Aug 2 2012 Nalin Dahyabhai 1.10.2-6 +- go back to not messing with library file paths on Fedora 17: it breaks + file path dependencies in other packages, and since Fedora 17 is already + released, breaking that is our fault + +* Tue Jul 31 2012 Nalin Dahyabhai 1.10.2-5 +- add upstream patch to fix freeing an uninitialized pointer and dereferencing + another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014 + and CVE-2012-1015, rhbz#844779 and rhbz#844777) +- fix a thinko in whether or not we mess around with devel .so symlinks on + systems without a separate /usr (sbose) + +* Fri Jul 27 2012 Fedora Release Engineering - 1.10.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 22 2012 Nalin Dahyabhai 1.10.2-3 +- backport a fix to allow a PKINIT client to handle SignedData from a KDC + that's signed with a certificate that isn't in the SignedData, but which + is available as an anchor or intermediate on the client (RT#7183) + +* Tue Jun 5 2012 Nalin Dahyabhai 1.10.2-2 +- back out this labeling change (dwalsh): + - when building the new label for a file we're about to create, also mix + in the current range, in addition to the current user + +* Fri Jun 1 2012 Nalin Dahyabhai 1.10.2-1 +- update to 1.10.2 + - when building the new label for a file we're about to create, also mix + in the current range, in addition to the current user + - also package the PDF format admin, user, and install guides + - drop some PDFs that no longer get built right +- add a backport of Stef's patch to set the client's list of supported + enctypes to match the types of keys that we have when we are using a + keytab to try to get initial credentials, so that a KDC won't send us + an AS reply that we can't encrypt (RT#2131, rhbz#748528) +- don't shuffle around any shared libraries on releases with no-separate-/usr, + since /usr/lib is the same place as /lib +- add explicit buildrequires: on 'hostname', for the tests, on systems where + it's in its own package, and require net-tools, which used to provide the + command, everywhere + +* Mon May 7 2012 Nalin Dahyabhai +- skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part + of rhbz#819115) + +* Tue May 1 2012 Nalin Dahyabhai 1.10.1-3 +- have -server require /usr/share/dict/words, which we set as the default + dict_file in kdc.conf (rhbz#817089) + +* Tue Mar 20 2012 Nalin Dahyabhai 1.10.1-2 +- change back dns_lookup_kdc to the default setting (Stef Walter, rhbz#805318) +- comment out example.com examples in default krb5.conf (Stef Walter, rhbz#805320) + +* Fri Mar 9 2012 Nalin Dahyabhai 1.10.1-1 +- update to 1.10.1 + - drop the KDC crash fix + - drop the KDC lookaside cache fix + - drop the fix for kadmind RPC ACLs (CVE-2012-1012) + +* Wed Mar 7 2012 Nalin Dahyabhai 1.10-5 +- when removing -workstation, remove our files from the info index while + the file is still there, in %%preun, rather than %%postun, and use the + compressed file's name (rhbz#801035) + +* Tue Feb 21 2012 Nathaniel McCallum - 1.10-4 +- Fix string RPC ACLs (RT#7093); CVE-2012-1012 + +* Tue Jan 31 2012 Nathaniel McCallum - 1.10-3 +- Add upstream lookaside cache behavior fix (RT#7082) + +* Mon Jan 30 2012 Nalin Dahyabhai 1.10-2 +- add patch to accept keytab entries with vno==0 as matches when we're + searching for an entry with a specific name/kvno (rhbz#230382/rhbz#782211,RT#3349) + +* Mon Jan 30 2012 Nalin Dahyabhai 1.10-1 +- update to 1.10 final + +* Thu Jan 26 2012 Nathaniel McCallum - 1.10-0.beta1.2 +- Add upstream crashfix patch (RT#7081) + +* Thu Jan 12 2012 Nalin Dahyabhai 1.10-0.beta1.1 +- update to beta 1 + +* Wed Jan 11 2012 Peter Robinson +- mktemp was long obsoleted by coreutils + +* Wed Jan 4 2012 Nalin Dahyabhai 1.10-0.alpha2.2 +- modify the deltat grammar to also tell gcc (4.7) to suppress + "maybe-uninitialized" warnings in addition to the "uninitialized" warnings + it's already being told to suppress (RT#7080) + +* Tue Dec 20 2011 Nalin Dahyabhai 1.10-0.alpha2.1 +- update to alpha 2 +- drop a couple of patches which were integrated for alpha 2 + +* Tue Dec 13 2011 Nalin Dahyabhai 1.10-0.alpha1.3 +- pull in patch for RT#7046: tag a ccache containing credentials obtained via + S4U2Proxy with the principal name of the proxying principal (part of rhbz#761317) + so that the default principal name can be set to that of the client for which + it is proxying, which results in the ccache looking more normal to consumers + of the ccache that don't care that there's proxying going on +- pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached + (more of rhbz#761317) +- pull in patch for RT#7048: allow PAC verification to only bother trying to + verify the signature with keys that it's given (still more of rhbz#761317) + +* Tue Dec 6 2011 Nalin Dahyabhai 1.10-0.alpha1.2 +- apply upstream patch to fix a null pointer dereference when processing + TGS requests (CVE-2011-1530, rhbz#753748) + +* Wed Nov 30 2011 Nalin Dahyabhai 1.10-0.alpha1.1 +- correct a bug in the fix for rhbz#754001 so that the file creation context is + consistently reset + +* Tue Nov 15 2011 Nalin Dahyabhai 1.10-0.alpha1.0 +- update to 1.10 alpha 1 +- on newer releases where we can assume NSS >= 3.13, configure PKINIT to build + using NSS +- on newer releases where we build PKINIT using NSS, configure libk5crypto to + build using NSS +- rename krb5-pkinit-openssl to krb5-pkinit on newer releases where we're + expecting to build PKINIT using NSS instead +- during %%check, run check in the library and kdc subdirectories, which + should be able to run inside of the build system without issue + +* Wed Oct 26 2011 Fedora Release Engineering - 1.9.1-19 +- Rebuilt for glibc rhbz#747377 + +* Tue Oct 18 2011 Nalin Dahyabhai 1.9.1-18 +- apply upstream patch to fix a null pointer dereference with the LDAP kdb + backend (CVE-2011-1527, rhbz#744125), an assertion failure with multiple kdb + backends (CVE-2011-1528), and a null pointer dereference with multiple kdb + backends (CVE-2011-1529) (rhbz#737711) + +* Thu Oct 13 2011 Nalin Dahyabhai 1.9.1-17 +- pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and + make it public (rhbz#745533) + +* Fri Oct 7 2011 Nalin Dahyabhai 1.9.1-16 +- kadmin.service: fix rhbz#723723 again +- kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command + lines, because systemd parsing doesn't handle alternate value shell variable + syntax +- kprop.service: add missing Type=forking so that systemd doesn't assume simple +- kprop.service: expect the ACL configuration to be there, not absent +- handle a harder-to-trigger assertion failure that starts cropping up when we + exit the transmit loop on time (rhbz#739853) + +* Sun Oct 2 2011 Tom Callaway 1.9.1-15 +- hardcode pid file as option in krb5kdc.service + +* Fri Sep 30 2011 Tom Callaway 1.9.1-14 +- fix pid path in krb5kdc.service + +* Mon Sep 19 2011 Tom Callaway 1.9.1-13 +- convert to systemd + +* Tue Sep 6 2011 Nalin Dahyabhai 1.9.1-12 +- pull in upstream patch for RT#6952, confusion following referrals for + cross-realm auth (rhbz#734341) +- pull in build-time deps for the tests + +* Thu Sep 1 2011 Nalin Dahyabhai 1.9.1-11 +- switch to the upstream patch for rhbz#727829 + +* Wed Aug 31 2011 Nalin Dahyabhai 1.9.1-10 +- handle an assertion failure that starts cropping up when the patch for + using poll (rhbz#701446) meets servers that aren't running KDCs or against + which the connection fails for other reasons (rhbz#727829, rhbz#734172) + +* Mon Aug 8 2011 Nalin Dahyabhai 1.9.1-9 +- override the default build rules to not delete temporary y.tab.c files, + so that they can be packaged, allowing debuginfo files which point to them + do so usefully (rhbz#729044) + +* Fri Jul 22 2011 Nalin Dahyabhai 1.9.1-8 +- build shared libraries with partial RELRO support (rhbz#723995) +- filter out potentially multiple instances of -Wl,-z,relro from krb5-config + output, now that it's in the buildroot's default LDFLAGS +- pull in a patch to fix losing track of the replay cache FD, from SVN by + way of Kevin Coffman + +* Wed Jul 20 2011 Nalin Dahyabhai 1.9.1-7 +- kadmind.init: drop the attempt to detect no-database-present errors (rhbz#723723), + which is too fragile in cases where the database has been manually moved or + is accessed through another kdb plugin + +* Tue Jul 19 2011 Nalin Dahyabhai 1.9.1-6 +- backport fixes to teach libkrb5 to use descriptors higher than FD_SETSIZE + to talk to a KDC by using poll() if it's detected at compile-time (rhbz#701446, + RT#6905) + +* Thu Jun 23 2011 Nalin Dahyabhai 1.9.1-5 +- pull a fix from SVN to try to avoid triggering a PTR lookup in getaddrinfo() + during krb5_sname_to_principal(), and to let getaddrinfo() decide whether or + not to ask for an IPv6 address based on the set of configured interfaces + (rhbz#717378, RT#6922) +- pull a fix from SVN to use AI_ADDRCONFIG more often (RT#6923) + +* Mon Jun 20 2011 Nalin Dahyabhai 1.9.1-4 +- apply upstream patch by way of Burt Holzman to fall back to a non-referral + method in cases where we might be derailed by a KDC that rejects the + canonicalize option (for example, those from the RHEL 2.1 or 3 era) (rhbz#715074) + +* Tue Jun 14 2011 Nalin Dahyabhai 1.9.1-3 +- pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating + using the old protocol over IPv4 again (RT#6920) + +* Tue Jun 14 2011 Nalin Dahyabhai +- incorporate a fix to teach the file labeling bits about when replay caches + are expunged (rhbz#576093) + +* Thu May 26 2011 Nalin Dahyabhai +- switch to the upstream patch for rhbz#707145 + +* Wed May 25 2011 Nalin Dahyabhai 1.9.1-2 +- klist: don't trip over referral entries when invoked with -s (rhbz#707145, + RT#6915) + +* Fri May 6 2011 Nalin Dahyabhai +- fixup URL in a comment +- when built with NSS, require 3.12.10 rather than 3.12.9 + +* Thu May 5 2011 Nalin Dahyabhai 1.9.1-1 +- update to 1.9.1: + - drop no-longer-needed patches for CVE-2010-4022, CVE-2011-0281, + CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285 + +* Wed Apr 13 2011 Nalin Dahyabhai 1.9-9 +- kadmind: add upstream patch to fix free() on an invalid pointer (rhbz#696343, + MITKRB5-SA-2011-004, CVE-2011-0285) + +* Mon Apr 4 2011 Nalin Dahyabhai +- don't discard the error code from an error message received in response + to a change-password request (rhbz#658871, RT#6893) + +* Fri Apr 1 2011 Nalin Dahyabhai +- override INSTALL_SETUID at build-time so that ksu is installed into + the buildroot with the right permissions (part of rhbz#225974) + +* Fri Mar 18 2011 Nalin Dahyabhai 1.9-8 +- backport change from SVN to fix a computed-value-not-used warning in + kpropd (rhbz#684065) + +* Tue Mar 15 2011 Nalin Dahyabhai 1.9-7 +- turn off NSS as the backend for libk5crypto for now to work around its + DES string2key not working (rhbz#679012) +- add revised upstream patch to fix double-free in KDC while returning + typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, rhbz#674325) + +* Thu Feb 17 2011 Nalin Dahyabhai +- throw in a not-applied-by-default patch to try to make pkinit debugging + into a run-time boolean option named "pkinit_debug" + +* Wed Feb 16 2011 Nalin Dahyabhai 1.9-6 +- turn on NSS as the backend for libk5crypto, adding nss-devel as a build + dependency when that switch is flipped + +* Wed Feb 9 2011 Nalin Dahyabhai 1.9-5 +- krb5kdc init script: prototype some changes to do a quick spot-check + of the TGS and kadmind keys and warn if there aren't any non-weak keys + on file for them (to flush out parts of rhbz#651466) + +* Tue Feb 8 2011 Nalin Dahyabhai 1.9-4 +- add upstream patches to fix standalone kpropd exiting if the per-client + child process exits with an error (MITKRB5-SA-2011-001), a hang or crash + in the KDC when using the LDAP kdb backend, and an uninitialized pointer + use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, rhbz#664009, + CVE-2011-0281, rhbz#668719, CVE-2011-0282, rhbz#668726, CVE-2011-0283, rhbz#676126) + +* Mon Feb 07 2011 Fedora Release Engineering - 1.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Feb 7 2011 Nalin Dahyabhai +- fix a compile error in the SELinux labeling patch when -DDEBUG is used (Sumit + Bose) + +* Tue Feb 1 2011 Nalin Dahyabhai +- properly advertise that the kpropd init script now supports force-reload + (Zbysek Mraz, rhbz#630587) + +* Wed Jan 26 2011 Nalin Dahyabhai 1.9-2 +- pkinit: when verifying signed data, use the CMS APIs for better + interoperability (rhbz#636985, RT#6851) + +* Wed Dec 22 2010 Nalin Dahyabhai 1.9-1 +- update to 1.9 final + +* Mon Dec 20 2010 Nalin Dahyabhai 1.9-0.beta3.1 +- fix link flags and permissions on shared libraries (ausil) + +* Thu Dec 16 2010 Nalin Dahyabhai 1.9-0.beta3.0 +- update to 1.9 beta 3 + +* Mon Dec 6 2010 Nalin Dahyabhai 1.9-0.beta2.0 +- update to 1.9 beta 2 + +* Tue Nov 9 2010 Nalin Dahyabhai 1.9-0.beta1.1 +- drop not-needed-since-1.8 build dependency on rsh (ssorce) + +* Fri Nov 5 2010 Nalin Dahyabhai 1.9-0.beta1.0 +- start moving to 1.9 with beta 1 + - drop patches for RT#5755, RT#6762, RT#6774, RT#6775 + - drop no-longer-needed backport patch for rhbz#539423 + - drop no-longer-needed patch for CVE-2010-1322 +- if WITH_NSS is set, built with --with-crypto-impl=nss (requires NSS 3.12.9) + +* Tue Oct 5 2010 Nalin Dahyabhai 1.8.3-8 +- incorporate upstream patch to fix uninitialized pointer crash in the KDC's + authorization data handling (CVE-2010-1322, rhbz#636335) + +* Mon Oct 4 2010 Nalin Dahyabhai 1.8.3-7 +- rebuild + +* Mon Oct 4 2010 Nalin Dahyabhai 1.8.3-6 +- pull down patches from trunk to implement k5login_authoritative and + k5login_directory settings for krb5.conf (rhbz#539423) + +* Wed Sep 29 2010 jkeating - 1.8.3-5 +- Rebuilt for gcc rhbz#634757 + +* Wed Sep 15 2010 Nalin Dahyabhai 1.8.3-4 +- fix reading of keyUsage extensions when attempting to select pkinit client + certs (part of rhbz#629022, RT#6775) +- fix selection of pkinit client certs when one or more don't include a + subjectAltName extension (part of rhbz#629022, RT#6774) + +* Fri Sep 3 2010 Nalin Dahyabhai 1.8.3-3 +- build with -fstack-protector-all instead of the default -fstack-protector, + so that we add checking to more functions (i.e., all of them) (rhbz#629950) +- also link binaries with -Wl,-z,relro,-z,now (part of rhbz#629950) + +* Tue Aug 24 2010 Nalin Dahyabhai 1.8.3-2 +- fix a logic bug in computing key expiration times (RT#6762, rhbz#627022) + +* Wed Aug 4 2010 Nalin Dahyabhai 1.8.3-1 +- update to 1.8.3 + - drop backports of fixes for gss context expiration and error table + registration/deregistration mismatch + - drop patch for upstream rhbz#6750 + +* Wed Jul 7 2010 Nalin Dahyabhai 1.8.2-3 +- tell krb5kdc and kadmind to create pid files, since they can +- add logrotate configuration files for krb5kdc and kadmind (rhbz#462658) +- fix parsing of the pidfile option in the KDC (upstream rhbz#6750) + +* Mon Jun 21 2010 Nalin Dahyabhai 1.8.2-2 +- libgssapi: pull in patch from svn to stop returning context-expired errors + when the ticket which was used to set up the context expires (rhbz#605366, + upstream rhbz#6739) + +* Mon Jun 21 2010 Nalin Dahyabhai +- pull up fix for upstream rhbz#6745, in which the gssapi library would add the + wrong error table but subsequently attempt to unload the right one + +* Thu Jun 10 2010 Nalin Dahyabhai 1.8.2-1 +- update to 1.8.2 + - drop patches for CVE-2010-1320, CVE-2010-1321 + +* Tue Jun 1 2010 Nalin Dahyabhai 1.8.1-7 +- rebuild + +* Thu May 27 2010 Nalin Dahyabhai +- ksu: move session management calls to before we drop privileges, like + su does (rhbz#596887), and don't skip the PAM account check for root or the + same user (more of rhbz#540769) + +* Mon May 24 2010 Nalin Dahyabhai 1.8.1-6 +- make krb5-server-ldap also depend on the same version-release of krb5-libs, + as the other subpackages do, if only to make it clearer than it is when we + just do it through krb5-server +- drop explicit linking with libtinfo for applications that use libss, now + that readline itself links with libtinfo (as of readline-5.2-3, since + fedora 7 or so) +- go back to building without strict aliasing (compiler warnings in gssrpc) + +* Tue May 18 2010 Nalin Dahyabhai 1.8.1-5 +- add patch to correct GSSAPI library null pointer dereference which could be + triggered by malformed client requests (CVE-2010-1321, rhbz#582466) + +* Tue May 4 2010 Nalin Dahyabhai 1.8.1-4 +- fix output of kprop's init script's "status" and "reload" commands (rhbz#588222) + +* Tue Apr 20 2010 Nalin Dahyabhai 1.8.1-3 +- incorporate patch to fix double-free in the KDC (CVE-2010-1320, rhbz#581922) + +* Wed Apr 14 2010 Nalin Dahyabhai 1.8.1-2 +- fix a typo in kerberos.ldif + +* Fri Apr 9 2010 Nalin Dahyabhai 1.8.1-1 +- update to 1.8.1 + - no longer need patches for rhbz#555875, rhbz#561174, rhbz#563431, RT#6661, CVE-2010-0628 +- replace buildrequires on tetex-latex with one on texlive-latex, which is + the package that provides it now + +* Thu Apr 8 2010 Nalin Dahyabhai +- kdc.conf: no more need to suggest a v4 mode, or listening on the v4 port + +* Thu Apr 8 2010 Nalin Dahyabhai +- drop patch to suppress key expiration warnings sent from the KDC in + the last-req field, as the KDC is expected to just be configured to either + send them or not as a particular key approaches expiration (rhbz#556495) + +* Tue Mar 23 2010 Nalin Dahyabhai - 1.8-5 +- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628, rhbz#576325) +- kdc.conf: no more need to suggest keeping keys with v4-compatible salting + +* Fri Mar 19 2010 Nalin Dahyabhai - 1.8-4 +- remove the krb5-appl bits (the -workstation-clients and -workstation-servers + subpackages) now that krb5-appl is its own package +- replace our patch for rhbz#563431 (kpasswd doesn't fall back to guessing your + principal name using your user name if you don't have a ccache) with the + one upstream uses + +* Fri Mar 12 2010 Nalin Dahyabhai - 1.8-3 +- add documentation for the ticket_lifetime option (rhbz#561174) + +* Mon Mar 8 2010 Nalin Dahyabhai - 1.8-2 +- pull up patch to get the client libraries to correctly perform password + changes over IPv6 (Sumit Bose, RT#6661) + +* Fri Mar 5 2010 Nalin Dahyabhai - 1.8-1 +- update to 1.8 + - temporarily bundling the krb5-appl package (split upstream as of 1.8) + until its package review is complete + - profile.d scriptlets are now only needed by -workstation-clients + - adjust paths in init scripts + - drop upstreamed fix for KDC denial of service (CVE-2010-0283) + - drop patch to check the user's password correctly using crypt(), which + isn't a code path we hit when we're using PAM + +* Wed Mar 3 2010 Nalin Dahyabhai - 1.7.1-6 +- fix a null pointer dereference and crash introduced in our PAM patch that + would happen if ftpd was given the name of a user who wasn't known to the + local system, limited to being triggerable by gssapi-authenticated clients by + the default xinetd config (Olivier Fourdan, rhbz#569472) + +* Tue Mar 2 2010 Nalin Dahyabhai - 1.7.1-5 +- fix a regression (not labeling a kdb database lock file correctly, rhbz#569902) + +* Thu Feb 25 2010 Nalin Dahyabhai - 1.7.1-4 +- move the package changelog to the end to match the usual style (jdennis) +- scrub out references to RPM_SOURCE_DIR (jdennis) +- include a symlink to the readme with the name LICENSE so that people can + find it more easily (jdennis) + +* Wed Feb 17 2010 Nalin Dahyabhai - 1.7.1-3 +- pull up the change to make kpasswd's behavior better match the docs + when there's no ccache (rhbz#563431) + +* Tue Feb 16 2010 Nalin Dahyabhai - 1.7.1-2 +- apply patch from upstream to fix KDC denial of service (CVE-2010-0283, + rhbz#566002) + +* Wed Feb 3 2010 Nalin Dahyabhai - 1.7.1-1 +- update to 1.7.1 + - don't trip AD lockout on wrong password (rhbz#542687, rhbz#554351) + - incorporates fixes for CVE-2009-4212 and CVE-2009-3295 + - fixes gss_krb5_copy_ccache() when SPNEGO is used +- move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to + the devel subpackage, better lining up with the expected krb5/krb5-appl + split in 1.8 +- drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it already + depends on -workstation which also includes them + +* Mon Jan 25 2010 Nalin Dahyabhai - 1.7-23 +- tighten up default permissions on kdc.conf and kadm5.acl (rhbz#558343) + +* Fri Jan 22 2010 Nalin Dahyabhai - 1.7-22 +- use portreserve correctly -- portrelease takes the basename of the file + whose entries should be released, so we need three files, not one + +* Mon Jan 18 2010 Nalin Dahyabhai - 1.7-21 +- suppress warnings of impending password expiration if expiration is more than + seven days away when the KDC reports it via the last-req field, just as we + already do when it reports expiration via the key-expiration field (rhbz#556495) +- link with libtinfo rather than libncurses, when we can, in future RHEL + +* Fri Jan 15 2010 Nalin Dahyabhai - 1.7-20 +- krb5_get_init_creds_password: check opte->flags instead of options->flags + when checking whether or not we get to use the prompter callback (rhbz#555875) + +* Thu Jan 14 2010 Nalin Dahyabhai - 1.7-19 +- use portreserve to make sure the KDC can always bind to the kerberos-iv + port, kpropd can always bind to the krb5_prop port, and that kadmind can + always bind to the kerberos-adm port (rhbz#555279) +- correct inadvertent use of macros in the changelog (rpmlint) + +* Tue Jan 12 2010 Nalin Dahyabhai - 1.7-18 +- add upstream patch for integer underflow during AES and RC4 decryption + (CVE-2009-4212), via Tom Yu (rhbz#545015) + +* Wed Jan 6 2010 Nalin Dahyabhai - 1.7-17 +- put the conditional back for the -devel subpackage +- back down to the earlier version of the patch for rhbz#551764; the backported + alternate version was incomplete + +* Tue Jan 5 2010 Nalin Dahyabhai - 1.7-16 +- use %%global instead of %%define +- pull up proposed patch for creating previously-not-there lock files for + kdb databases when 'kdb5_util' is called to 'load' (rhbz#551764) + +* Mon Jan 4 2010 Dennis Gregorovic +- fix conditional for future RHEL + +* Mon Jan 4 2010 Nalin Dahyabhai - 1.7-15 +- add upstream patch for KDC crash during referral processing (CVE-2009-3295), + via Tom Yu (rhbz#545002) + +* Mon Dec 21 2009 Nalin Dahyabhai - 1.7-14 +- refresh patch for rhbz#542868 from trunk + +* Thu Dec 10 2009 Nalin Dahyabhai +- move man pages that live in the -libs subpackage into the regular + %%{_mandir} tree where they'll still be found if that package is the + only one installed (rhbz#529319) + +* Wed Dec 9 2009 Nalin Dahyabhai - 1.7-13 +- and put it back in + +* Tue Dec 8 2009 Nalin Dahyabhai +- back that last change out + +* Tue Dec 8 2009 Nalin Dahyabhai - 1.7-12 +- try to make gss_krb5_copy_ccache() work correctly for spnego (rhbz#542868) + +* Fri Dec 4 2009 Nalin Dahyabhai +- make krb5-config suppress CFLAGS output when called with --libs (rhbz#544391) + +* Thu Dec 3 2009 Nalin Dahyabhai - 1.7-11 +- ksu: move account management checks to before we drop privileges, like + su does (rhbz#540769) +- selinux: set the user part of file creation contexts to match the current + context instead of what we looked up +- configure with --enable-dns-for-realm instead of --enable-dns, which isn't + recognized any more + +* Fri Nov 20 2009 Nalin Dahyabhai - 1.7-10 +- move /etc/pam.d/ksu from krb5-workstation-servers to krb5-workstation, + where it's actually needed (rhbz#538703) + +* Fri Oct 23 2009 Nalin Dahyabhai - 1.7-9 +- add some conditional logic to simplify building on older Fedora releases + +* Tue Oct 13 2009 Nalin Dahyabhai +- don't forget the README + +* Mon Sep 14 2009 Nalin Dahyabhai - 1.7-8 +- specify the location of the subsystem lock when using the status() function + in the kadmind and kpropd init scripts, so that we get the right error when + we're dead but have a lock file - requires initscripts 8.99 (rhbz#521772) + +* Tue Sep 8 2009 Nalin Dahyabhai +- if the init script fails to start krb5kdc/kadmind/kpropd because it's already + running (according to status()), return 0 (part of rhbz#521772) + +* Mon Aug 24 2009 Nalin Dahyabhai - 1.7-7 +- work around a compile problem with new openssl + +* Fri Aug 21 2009 Tomas Mraz - 1.7-6 +- rebuilt with new openssl + +* Fri Jul 24 2009 Fedora Release Engineering - 1.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Jul 7 2009 Nalin Dahyabhai 1.7-5 +- rebuild to pick up the current forms of various patches + +* Mon Jul 6 2009 Nalin Dahyabhai +- simplify the man pages patch by only preprocessing the files we care about + and moving shared configure.in logic into a shared function +- catch the case of ftpd printing file sizes using %%i, when they might be + bigger than an int now + +* Tue Jun 30 2009 Nalin Dahyabhai 1.7-4 +- try to merge and clean up all the large file support for ftp and rcp + - ftpd no longer prints a negative length when sending a large file + from a 32-bit host + +* Tue Jun 30 2009 Nalin Dahyabhai +- pam_rhosts_auth.so's been gone, use pam_rhosts.so instead + +* Mon Jun 29 2009 Nalin Dahyabhai 1.7-3 +- switch buildrequires: and requires: on e2fsprogs-devel into + buildrequires: and requires: on libss-devel, libcom_err-devel, per + sandeen on fedora-devel-list + +* Fri Jun 26 2009 Nalin Dahyabhai +- fix a type mismatch in krb5_copy_error_message() +- ftp: fix some odd use of strlen() +- selinux labeling: use selabel_open() family of functions rather than + matchpathcon(), bail on it if attempting to get the mutex lock fails + +* Tue Jun 16 2009 Nalin Dahyabhai +- compile with %%{?_smp_mflags} (Steve Grubb) +- drop the bit where we munge part of the error table header, as it's not + needed any more + +* Fri Jun 5 2009 Nalin Dahyabhai 1.7-2 +- add and own %%{_libdir}/krb5/plugins/authdata + +* Thu Jun 4 2009 Nalin Dahyabhai 1.7-1 +- update to 1.7 + - no need to work around build issues with ASN1BUF_OMIT_INLINE_FUNCS + - configure recognizes --enable/--disable-pkinit now + - configure can take --disable-rpath now + - no more libdes425, krb524d, krb425.info + - kadmin/k5srvutil/ktutil are user commands now + - new kproplog + - FAST encrypted-challenge plugin is new +- drop static build logic +- drop pam_krb5-specific configuration from the default krb5.conf +- drop only-use-v5 flags being passed to various things started by xinetd +- put %%{krb5prefix}/sbin in everyone's path, too (rhbz#504525) + +* Tue May 19 2009 Nalin Dahyabhai 1.6.3-106 +- add an auth stack to ksu's PAM configuration so that pam_setcred() calls + won't just fail + +* Mon May 11 2009 Nalin Dahyabhai 1.6.3-105 +- make PAM support for ksu also set PAM_RUSER + +* Thu Apr 23 2009 Nalin Dahyabhai 1.6.3-104 +- extend PAM support to ksu: perform account and session management for the + target user +- pull up and merge James Leddy's changes to also set PAM_RHOST in PAM-aware + network-facing services + +* Tue Apr 21 2009 Nalin Dahyabhai 1.6.3-103 +- fix a typo in a ksu error message (Marek Mahut) +- "rev" works the way the test suite expects now, so don't disable tests + that use it + +* Mon Apr 20 2009 Nalin Dahyabhai 1.6.3-102 +- add LSB-style init script info + +* Fri Apr 17 2009 Nalin Dahyabhai +- explicitly run the pdf generation script using sh (part of rhbz#225974) + +* Tue Apr 7 2009 Nalin Dahyabhai 1.6.3-101 +- add patches for read overflow and null pointer dereference in the + implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845) +- add patch for attempt to free uninitialized pointer in libkrb5 + (CVE-2009-0846) +- add patch to fix length validation bug in libkrb5 (CVE-2009-0847) +- put the krb5-user .info file into just -workstation and not also + -workstation-clients + +* Mon Apr 6 2009 Nalin Dahyabhai 1.6.3-100 +- turn off krb4 support (it won't be part of the 1.7 release, but do it now) +- use triggeruns to properly shut down and disable krb524d when -server and + -workstation-servers gets upgraded, because it's gone now +- move the libraries to /%%{_lib}, but leave --libdir alone so that plugins + get installed and are searched for in the same locations (rhbz#473333) +- clean up buildprereq/prereqs, explicit mktemp requires, and add the + ldconfig for the -server-ldap subpackage (part of rhbz#225974) +- escape possible macros in the changelog (part of rhbz#225974) +- fixup summary texts (part of rhbz#225974) +- take the execute bit off of the protocol docs (part of rhbz#225974) +- unflag init scripts as configuration files (part of rhbz#225974) +- make the kpropd init script treat 'reload' as 'restart' (part of rhbz#225974) + +* Tue Mar 17 2009 Nalin Dahyabhai 1.6.3-19 +- libgssapi_krb5: backport fix for some errors which can occur when + we fail to set up the server half of a context (CVE-2009-0845) + +* Wed Feb 25 2009 Fedora Release Engineering - 1.6.3-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Jan 16 2009 Nalin Dahyabhai 1.6.3-17 +- rebuild + +* Thu Sep 4 2008 Nalin Dahyabhai +- if we successfully change the user's password during an attempt to get + initial credentials, but then fail to get initial creds from a non-master + using the new password, retry against the master (rhbz#432334) + +* Tue Aug 5 2008 Tom "spot" Callaway 1.6.3-16 +- fix license tag + +* Wed Jul 16 2008 Nalin Dahyabhai +- clear fuzz out of patches, dropping a man page patch which is no longer + necessary +- quote %%{__cc} where needed because it includes whitespace now +- define ASN1BUF_OMIT_INLINE_FUNCS at compile-time (for now) to keep building + +* Fri Jul 11 2008 Nalin Dahyabhai 1.6.3-15 +- build with -fno-strict-aliasing, which is needed because the library + triggers these warnings +- don't forget to label principal database lock files +- fix the labeling patch so that it doesn't break bootstrapping + +* Sat Jun 14 2008 Tom "spot" Callaway 1.6.3-14 +- generate src/include/krb5/krb5.h before building +- fix conditional for sparcv9 + +* Wed Apr 16 2008 Nalin Dahyabhai 1.6.3-13 +- ftp: use the correct local filename during mget when the 'case' option is + enabled (rhbz#442713) + +* Fri Apr 4 2008 Nalin Dahyabhai 1.6.3-12 +- stop exporting kadmin keys to a keytab file when kadmind starts -- the + daemon's been able to use the database directly for a long long time now +- belatedly add aes128,aes256 to the default set of supported key types + +* Tue Apr 1 2008 Nalin Dahyabhai 1.6.3-11 +- libgssapi_krb5: properly export the acceptor subkey when creating a lucid + context (Kevin Coffman, via the nfs4 mailing list) + +* Tue Mar 18 2008 Nalin Dahyabhai 1.6.3-10 +- add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer + when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063, + rhbz#432620, rhbz#432621) +- add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when + high-numbered descriptors are used (CVE-2008-0947, rhbz#433596) +- add backport bug fix for an attempt to free non-heap memory in + libgssapi_krb5 (CVE-2007-5901, rhbz#415321) +- add backport bug fix for a double-free in out-of-memory situations in + libgssapi_krb5 (CVE-2007-5971, rhbz#415351) + +* Tue Mar 18 2008 Nalin Dahyabhai 1.6.3-9 +- rework file labeling patch to not depend on fragile preprocessor trickery, + in another attempt at fixing rhbz#428355 and friends + +* Tue Feb 26 2008 Nalin Dahyabhai 1.6.3-8 +- ftp: add patch to fix "runique on" case when globbing fixes applied +- stop adding a redundant but harmless call to initialize the gssapi internals + +* Mon Feb 25 2008 Nalin Dahyabhai +- add patch to suppress double-processing of /etc/krb5.conf when we build + with --sysconfdir=/etc, thereby suppressing double-logging (rhbz#231147) + +* Mon Feb 25 2008 Nalin Dahyabhai +- remove a patch, to fix problems with interfaces which are "up" but which + have no address assigned, which conflicted with a different fix for the same + problem in 1.5 (rhbz#200979) + +* Mon Feb 25 2008 Nalin Dahyabhai +- ftp: don't lose track of a descriptor on passive get when the server fails to + open a file + +* Mon Feb 25 2008 Nalin Dahyabhai +- in login, allow PAM to interact with the user when they've been strongly + authenticated +- in login, signal PAM when we're changing an expired password that it's an + expired password, so that when cracklib flags a password as being weak it's + treated as an error even if we're running as root + +* Mon Feb 18 2008 Nalin Dahyabhai 1.6.3-7 +- drop netdb patch +- kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that + the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora, + Netscape, Red Hat Directory Server (Simo Sorce) + +* Wed Feb 13 2008 Nalin Dahyabhai 1.6.3-6 +- patch to avoid depending on to define NI_MAXHOST and NI_MAXSERV + +* Tue Feb 12 2008 Nalin Dahyabhai 1.6.3-5 +- enable patch for key-expiration reporting +- enable patch to make kpasswd fall back to TCP if UDP fails (rhbz#251206) +- enable patch to make kpasswd use the right sequence number on retransmit +- enable patch to allow mech-specific creds delegated under spnego to be found + when searching for creds + +* Wed Jan 2 2008 Nalin Dahyabhai 1.6.3-4 +- some init script cleanups + - drop unquoted check and silent exit for "$NETWORKING" (rhbz#426852, rhbz#242502) + - krb524: don't barf on missing database if it looks like we're using kldap, + same as for kadmin + - return non-zero status for missing files which cause startup to + fail (rhbz#242502) + +* Tue Dec 18 2007 Nalin Dahyabhai 1.6.3-3 +- allocate space for the nul-terminator in the local pathname when looking up + a file context, and properly free a previous context (Jose Plans, rhbz#426085) + +* Wed Dec 5 2007 Nalin Dahyabhai 1.6.3-2 +- rebuild + +* Tue Oct 23 2007 Nalin Dahyabhai 1.6.3-1 +- update to 1.6.3, dropping now-integrated patches for CVE-2007-3999 + and CVE-2007-4000 (the new pkinit module is built conditionally and goes + into the -pkinit-openssl package, at least for now, to make a buildreq + loop with openssl avoidable) + +* Wed Oct 17 2007 Nalin Dahyabhai 1.6.2-10 +- make proper use of pam_loginuid and pam_selinux in rshd and ftpd + +* Fri Oct 12 2007 Nalin Dahyabhai +- make krb5.conf %%verify(not md5 size mtime) in addition to + %%config(noreplace), like /etc/nsswitch.conf (rhbz#329811) + +* Mon Oct 1 2007 Nalin Dahyabhai 1.6.2-9 +- apply the fix for CVE-2007-4000 instead of the experimental patch for + setting ok-as-delegate flags + +* Tue Sep 11 2007 Nalin Dahyabhai 1.6.2-8 +- move the db2 kdb plugin from -server to -libs, because a multilib libkdb + might need it + +* Tue Sep 11 2007 Nalin Dahyabhai 1.6.2-7 +- also perform PAM session and credential management when ftpd accepts a + client using strong authentication, missed earlier +- also label kadmind log files and files created by the db2 plugin + +* Thu Sep 6 2007 Nalin Dahyabhai 1.6.2-6 +- incorporate updated fix for CVE-2007-3999 (CVE-2007-4743) +- fix incorrect call to "test" in the kadmin init script (rhbz#252322,rhbz#287291) + +* Tue Sep 4 2007 Nalin Dahyabhai 1.6.2-5 +- incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000) + +* Sat Aug 25 2007 Nalin Dahyabhai 1.6.2-4 +- cover more cases in labeling files on creation +- add missing gawk build dependency + +* Thu Aug 23 2007 Nalin Dahyabhai 1.6.2-3 +- rebuild + +* Thu Jul 26 2007 Nalin Dahyabhai 1.6.2-2 +- kdc.conf: default to listening for TCP clients, too (rhbz#248415) + +* Thu Jul 19 2007 Nalin Dahyabhai 1.6.2-1 +- update to 1.6.2 +- add "buildrequires: texinfo-tex" to get texi2pdf + +* Wed Jun 27 2007 Nalin Dahyabhai 1.6.1-8 +- incorporate fixes for MITKRB5-SA-2007-004 (CVE-2007-2442,CVE-2007-2443) + and MITKRB5-SA-2007-005 (CVE-2007-2798) + +* Mon Jun 25 2007 Nalin Dahyabhai 1.6.1-7 +- reintroduce missing %%postun for the non-split_workstation case + +* Mon Jun 25 2007 Nalin Dahyabhai 1.6.1-6 +- rebuild + +* Mon Jun 25 2007 Nalin Dahyabhai 1.6.1-5.1 +- rebuild + +* Sun Jun 24 2007 Nalin Dahyabhai 1.6.1-5 +- add missing pam-devel build requirement, force selinux-or-fail build + +* Sun Jun 24 2007 Nalin Dahyabhai 1.6.1-4 +- rebuild + +* Sun Jun 24 2007 Nalin Dahyabhai 1.6.1-3 +- label all files at creation-time according to the SELinux policy (rhbz#228157) + +* Fri Jun 22 2007 Nalin Dahyabhai +- perform PAM account / session management in krshd (rhbz#182195,rhbz#195922) +- perform PAM authentication and account / session management in ftpd +- perform PAM authentication, account / session management, and password- + changing in login.krb5 (rhbz#182195,rhbz#195922) + +* Fri Jun 22 2007 Nalin Dahyabhai +- preprocess kerberos.ldif into a format FDS will like better, and include + that as a doc file as well + +* Fri Jun 22 2007 Nalin Dahyabhai +- switch man pages to being generated with the right paths in them +- drop old, incomplete SELinux patch +- add patch from Greg Hudson to make srvtab routines report missing-file errors + at same point that keytab routines do (rhbz#241805) + +* Thu May 24 2007 Nalin Dahyabhai 1.6.1-2 +- pull patch from svn to undo unintentional chattiness in ftp +- pull patch from svn to handle NULL krb5_get_init_creds_opt structures + better in a couple of places where they're expected + +* Wed May 23 2007 Nalin Dahyabhai 1.6.1-1 +- update to 1.6.1 + - drop no-longer-needed patches for CVE-2007-0956,CVE-2007-0957,CVE-2007-1216 + - drop patch for sendto bug in 1.6, fixed in 1.6.1 + +* Fri May 18 2007 Nalin Dahyabhai +- kadmind.init: don't fail outright if the default principal database + isn't there if it looks like we might be using the kldap plugin +- kadmind.init: attempt to extract the key for the host-specific kadmin + service when we try to create the keytab + +* Wed May 16 2007 Nalin Dahyabhai 1.6-6 +- omit dependent libraries from the krb5-config --libs output, as using + shared libraries (no more static libraries) makes them unnecessary and + they're not part of the libkrb5 interface (patch by Rex Dieter, rhbz#240220) + (strips out libkeyutils, libresolv, libdl) + +* Fri May 4 2007 Nalin Dahyabhai 1.6-5 +- pull in keyutils as a build requirement to get the "KEYRING:" ccache type, + because we've merged + +* Fri May 4 2007 Nalin Dahyabhai 1.6-4 +- fix an uninitialized length value which could cause a crash when parsing + key data coming from a directory server +- correct a typo in the krb5.conf man page ("ldap_server"->"ldap_servers") + +* Fri Apr 13 2007 Nalin Dahyabhai +- move the default acl_file, dict_file, and admin_keytab settings to + the part of the default/example kdc.conf where they'll actually have + an effect (rhbz#236417) + +* Thu Apr 5 2007 Nalin Dahyabhai 1.5-24 +- merge security fixes from RHSA-2007:0095 + +* Tue Apr 3 2007 Nalin Dahyabhai 1.6-3 +- add patch to correct unauthorized access via krb5-aware telnet + daemon (rhbz#229782, CVE-2007-0956) +- add patch to fix buffer overflow in krb5kdc and kadmind + (rhbz#231528, CVE-2007-0957) +- add patch to fix double-free in kadmind (rhbz#231537, CVE-2007-1216) + +* Thu Mar 22 2007 Nalin Dahyabhai +- back out buildrequires: keyutils-libs-devel for now + +* Thu Mar 22 2007 Nalin Dahyabhai 1.6-2 +- add buildrequires: on keyutils-libs-devel to enable use of keyring ccaches, + dragging keyutils-libs in as a dependency + +* Mon Mar 19 2007 Nalin Dahyabhai 1.5-23 +- fix bug ID in changelog + +* Thu Mar 15 2007 Nalin Dahyabhai 1.5-22 + +* Thu Mar 15 2007 Nalin Dahyabhai 1.5-21 +- add preliminary patch to fix buffer overflow in krb5kdc and kadmind + (rhbz#231528, CVE-2007-0957) +- add preliminary patch to fix double-free in kadmind (rhbz#231537, CVE-2007-1216) + +* Wed Feb 28 2007 Nalin Dahyabhai +- add patch to build semi-useful static libraries, but don't apply it unless + we need them + +* Tue Feb 27 2007 Nalin Dahyabhai - 1.5-20 +- temporarily back out %%post changes, fix for rhbz#143289 for security update +- add preliminary patch to correct unauthorized access via krb5-aware telnet + +* Mon Feb 19 2007 Nalin Dahyabhai +- make profile.d scriptlets mode 644 instead of 755 (part of rhbz#225974) + +* Tue Jan 30 2007 Nalin Dahyabhai 1.6-1 +- clean up quoting of command-line arguments passed to the krsh/krlogin + wrapper scripts + +* Mon Jan 22 2007 Nalin Dahyabhai +- initial update to 1.6, pre-package-reorg +- move workstation daemons to a new subpackage (rhbz#81836, rhbz#216356, rhbz#217301), and + make the new subpackage require xinetd (rhbz#211885) + +* Mon Jan 22 2007 Nalin Dahyabhai - 1.5-18 +- make use of install-info more failsafe (Ville Skyttä, rhbz#223704) +- preserve timestamps on shell scriptlets at %%install-time + +* Tue Jan 16 2007 Nalin Dahyabhai - 1.5-17 +- move to using pregenerated PDF docs to cure multilib conflicts (rhbz#222721) + +* Fri Jan 12 2007 Nalin Dahyabhai - 1.5-16 +- update backport of the preauth module interface (part of rhbz#194654) + +* Tue Jan 9 2007 Nalin Dahyabhai - 1.5-14 +- apply fixes from Tom Yu for MITKRB5-SA-2006-002 (CVE-2006-6143) (rhbz#218456) +- apply fixes from Tom Yu for MITKRB5-SA-2006-003 (CVE-2006-6144) (rhbz#218456) + +* Wed Dec 20 2006 Nalin Dahyabhai - 1.5-12 +- update backport of the preauth module interface + +* Mon Oct 30 2006 Nalin Dahyabhai +- update backport of the preauth module interface +- add proposed patches 4566, 4567 +- add proposed edata reporting interface for KDC +- add temporary placeholder for module global context fixes + +* Mon Oct 23 2006 Nalin Dahyabhai - 1.5-11 +- don't bail from the KDC init script if there's no database, it may be in + a different location than the default (fenlason) +- remove the [kdc] section from the default krb5.conf -- doesn't seem to have + been applicable for a while + +* Wed Oct 18 2006 Nalin Dahyabhai - 1.5-10 +- rename krb5.sh and krb5.csh so that they don't overlap (rhbz#210623) +- way-late application of added error info in kadmind.init (rhbz#65853) + +* Wed Oct 18 2006 Nalin Dahyabhai - 1.5-9.pal_18695 +- add backport of in-development preauth module interface (rhbz#208643) + +* Mon Oct 9 2006 Nalin Dahyabhai - 1.5-9 +- provide docs in PDF format instead of as tex source (Enrico Scholz, rhbz#209943) + +* Wed Oct 4 2006 Nalin Dahyabhai - 1.5-8 +- add missing shebang headers to krsh and krlogin wrapper scripts (rhbz#209238) + +* Wed Sep 6 2006 Nalin Dahyabhai - 1.5-7 +- set SS_LIB at configure-time so that libss-using apps get working readline + support (rhbz#197044) + +* Fri Aug 18 2006 Nalin Dahyabhai - 1.5-6 +- switch to the updated patch for MITKRB-SA-2006-001 + +* Tue Aug 8 2006 Nalin Dahyabhai - 1.5-5 +- apply patch to address MITKRB-SA-2006-001 (CVE-2006-3084) + +* Mon Aug 7 2006 Nalin Dahyabhai - 1.5-4 +- ensure that the gssapi library's been initialized before walking the + internal mechanism list in gss_release_oid(), needed if called from + gss_release_name() right after a gss_import_name() (rhbz#198092) + +* Tue Jul 25 2006 Nalin Dahyabhai - 1.5-3 +- rebuild + +* Tue Jul 25 2006 Nalin Dahyabhai - 1.5-2 +- pull up latest revision of patch to reduce lockups in rsh/rshd + +* Mon Jul 17 2006 Nalin Dahyabhai - 1.5-1.2 +- rebuild + +* Wed Jul 12 2006 Jesse Keating - 1.5-1.1 +- rebuild + +* Thu Jul 6 2006 Nalin Dahyabhai 1.5-1 +- build + +* Wed Jul 5 2006 Nalin Dahyabhai 1.5-0 +- update to 1.5 + +* Fri Jun 23 2006 Nalin Dahyabhai 1.4.3-9 +- mark profile.d config files noreplace (Laurent Rineau, rhbz#196447) + +* Thu Jun 8 2006 Nalin Dahyabhai 1.4.3-8 +- add buildprereq for autoconf + +* Mon May 22 2006 Nalin Dahyabhai 1.4.3-7 +- further munge krb5-config so that 'libdir=/usr/lib' is given even on 64-bit + architectures, to avoid multilib conflicts; other changes will conspire to + strip out the -L flag which uses this, so it should be harmless (rhbz#192692) + +* Fri Apr 28 2006 Nalin Dahyabhai 1.4.3-6 +- adjust the patch which removes the use of rpath to also produce a + krb5-config which is okay in multilib environments (rhbz#190118) +- make the name-of-the-tempfile comment which compile_et adds to error code + headers always list the same file to avoid conflicts on multilib installations +- strip SIZEOF_LONG out of krb5.h so that it doesn't conflict on multilib boxes +- strip GSS_SIZEOF_LONG out of gssapi.h so that it doesn't conflict on mulitlib + boxes + +* Fri Apr 14 2006 Stepan Kasal 1.4.3-5 +- Fix formatting typo in kinit.1 (krb5-kinit-man-typo.patch) + +* Fri Feb 10 2006 Jesse Keating 1.4.3-4.1 +- bump again for double-long bug on ppc(64) + +* Mon Feb 6 2006 Nalin Dahyabhai 1.4.3-4 +- give a little bit more information to the user when kinit gets the catch-all + I/O error (rhbz#180175) + +* Thu Jan 19 2006 Nalin Dahyabhai 1.4.3-3 +- rebuild properly when pthread_mutexattr_setrobust_np() is defined but not + declared, such as with recent glibc when _GNU_SOURCE isn't being used + +* Thu Jan 19 2006 Matthias Clasen 1.4.3-2 +- Use full paths in krb5.sh to avoid path lookups + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Thu Dec 1 2005 Nalin Dahyabhai +- login: don't truncate passwords before passing them into crypt(), in + case they're significant (rhbz#149476) + +* Thu Nov 17 2005 Nalin Dahyabhai 1.4.3-1 +- update to 1.4.3 +- make ksu setuid again (rhbz#137934, others) + +* Tue Sep 13 2005 Nalin Dahyabhai 1.4.2-4 +- mark %%{krb5prefix}/man so that files which are packaged within it are + flagged as %%doc (rhbz#168163) + +* Tue Sep 6 2005 Nalin Dahyabhai 1.4.2-3 +- add an xinetd configuration file for encryption-only telnetd, parallelling + the kshell/ekshell pair (rhbz#167535) + +* Wed Aug 31 2005 Nalin Dahyabhai 1.4.2-2 +- change the default configured encryption type for KDC databases to the + compiled-in default of des3-hmac-sha1 (rhbz#57847) + +* Thu Aug 11 2005 Nalin Dahyabhai 1.4.2-1 +- update to 1.4.2, incorporating the fixes for MIT-KRB5-SA-2005-002 and + MIT-KRB5-SA-2005-003 + +* Wed Jun 29 2005 Nalin Dahyabhai 1.4.1-6 +- rebuild + +* Wed Jun 29 2005 Nalin Dahyabhai 1.4.1-5 +- fix telnet client environment variable disclosure the same way NetKit's + telnet client did (CAN-2005-0488) (rhbz#159305) +- keep apps which call krb5_principal_compare() or krb5_realm_compare() with + malformed or NULL principal structures from crashing outright (Thomas Biege) + (rhbz#161475) + +* Tue Jun 28 2005 Nalin Dahyabhai +- apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175) + (rhbz#157104) +- apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (rhbz#159755) + +* Fri Jun 24 2005 Nalin Dahyabhai 1.4.1-4 +- fix double-close in keytab handling +- add port of fixes for CAN-2004-0175 to krb5-aware rcp (rhbz#151612) + +* Fri May 13 2005 Nalin Dahyabhai 1.4.1-3 +- prevent spurious EBADF in krshd when stdin is closed by the client while + the command is running (rhbz#151111) + +* Fri May 13 2005 Martin Stransky 1.4.1-2 +- add deadlock patch, removed old patch + +* Fri May 6 2005 Nalin Dahyabhai 1.4.1-1 +- update to 1.4.1, incorporating fixes for CAN-2005-0468 and CAN-2005-0469 +- when starting the KDC or kadmind, if KRB5REALM is set via the /etc/sysconfig + file for the service, pass it as an argument for the -r flag + +* Wed Mar 23 2005 Nalin Dahyabhai 1.4-3 +- drop krshd patch for now + +* Thu Mar 17 2005 Nalin Dahyabhai +- add draft fix from Tom Yu for slc_add_reply() buffer overflow (CAN-2005-0469) +- add draft fix from Tom Yu for env_opt_add() buffer overflow (CAN-2005-0468) + +* Wed Mar 16 2005 Nalin Dahyabhai 1.4-2 +- don't include into the telnet client when we're not using curses + +* Thu Feb 24 2005 Nalin Dahyabhai 1.4-1 +- update to 1.4 + - v1.4 kadmin client requires a v1.4 kadmind on the server, or use the "-O" + flag to specify that it should communicate with the server using the older + protocol + - new libkrb5support library + - v5passwdd and kadmind4 are gone + - versioned symbols +- pick up $KRB5KDC_ARGS from /etc/sysconfig/krb5kdc, if it exists, and pass + it on to krb5kdc +- pick up $KADMIND_ARGS from /etc/sysconfig/kadmin, if it exists, and pass + it on to kadmind +- pick up $KRB524D_ARGS from /etc/sysconfig/krb524, if it exists, and pass + it on to krb524d *instead of* "-m" +- set "forwardable" in [libdefaults] in the default krb5.conf to match the + default setting which we supply for pam_krb5 +- set a default of 24h for "ticket_lifetime" in [libdefaults], reflecting the + compiled-in default + +* Mon Dec 20 2004 Nalin Dahyabhai 1.3.6-3 +- rebuild + +* Mon Dec 20 2004 Nalin Dahyabhai 1.3.6-2 +- rebuild + +* Mon Dec 20 2004 Nalin Dahyabhai 1.3.6-1 +- update to 1.3.6, which includes the previous fix + +* Mon Dec 20 2004 Nalin Dahyabhai 1.3.5-8 +- apply fix from Tom Yu for MITKRB5-SA-2004-004 (CAN-2004-1189) + +* Fri Dec 17 2004 Martin Stransky 1.3.5-7 +- fix deadlock during file transfer via rsync/krsh +- thanks goes to James Antill for hint + +* Fri Nov 26 2004 Nalin Dahyabhai 1.3.5-6 +- rebuild + +* Mon Nov 22 2004 Nalin Dahyabhai 1.3.5-3 +- fix predictable-tempfile-name bug in krb5-send-pr (CAN-2004-0971, rhbz#140036) + +* Tue Nov 16 2004 Nalin Dahyabhai +- silence compiler warning in kprop by using an in-memory ccache with a fixed + name instead of an on-disk ccache with a name generated by tmpnam() + +* Tue Nov 16 2004 Nalin Dahyabhai 1.3.5-2 +- fix globbing patch port mode (rhbz#139075) + +* Mon Nov 1 2004 Nalin Dahyabhai 1.3.5-1 +- fix segfault in telnet due to incorrect checking of gethostbyname_r result + codes (rhbz#129059) + +* Fri Oct 15 2004 Nalin Dahyabhai +- remove rc4-hmac:norealm and rc4-hmac:onlyrealm from the default list of + supported keytypes in kdc.conf -- they produce exactly the same keys as + rc4-hmac:normal because rc4 string-to-key ignores salts +- nuke kdcrotate -- there are better ways to balance the load on KDCs, and + the SELinux policy for it would have been scary-looking +- update to 1.3.5, mainly to include MITKRB5SA 2004-002 and 2004-003 + +* Tue Aug 31 2004 Nalin Dahyabhai 1.3.4-7 +- rebuild + +* Tue Aug 24 2004 Nalin Dahyabhai 1.3.4-6 +- rebuild + +* Tue Aug 24 2004 Nalin Dahyabhai 1.3.4-5 +- incorporate revised fixes from Tom Yu for CAN-2004-0642, CAN-2004-0644, + CAN-2004-0772 + +* Mon Aug 23 2004 Nalin Dahyabhai 1.3.4-4 +- rebuild + +* Mon Aug 23 2004 Nalin Dahyabhai 1.3.4-3 +- incorporate fixes from Tom Yu for CAN-2004-0642, CAN-2004-0772 + (MITKRB5-SA-2004-002, rhbz#130732) +- incorporate fixes from Tom Yu for CAN-2004-0644 (MITKRB5-SA-2004-003, rhbz#130732) + +* Tue Jul 27 2004 Nalin Dahyabhai 1.3.4-2 +- fix indexing error in server sorting patch (rhbz#127336) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Mon Jun 14 2004 Nalin Dahyabhai 1.3.4-0.1 +- update to 1.3.4 final + +* Mon Jun 7 2004 Nalin Dahyabhai 1.3.4-0 +- update to 1.3.4 beta1 +- remove MITKRB5-SA-2004-001, included in 1.3.4 + +* Mon Jun 7 2004 Nalin Dahyabhai 1.3.3-8 +- rebuild + +* Fri Jun 4 2004 Nalin Dahyabhai 1.3.3-7 +- rebuild + +* Fri Jun 4 2004 Nalin Dahyabhai 1.3.3-6 +- apply updated patch from MITKRB5-SA-2004-001 (revision 2004-06-02) + +* Tue Jun 1 2004 Nalin Dahyabhai 1.3.3-5 +- rebuild + +* Tue Jun 1 2004 Nalin Dahyabhai 1.3.3-4 +- apply patch from MITKRB5-SA-2004-001 (rhbz#125001) + +* Wed May 12 2004 Thomas Woerner 1.3.3-3 +- removed rpath + +* Thu Apr 15 2004 Nalin Dahyabhai 1.3.3-2 +- re-enable large file support, fell out in 1.3-1 +- patch rcp to use long long and %%lld format specifiers when reporting file + sizes on large files + +* Tue Apr 13 2004 Nalin Dahyabhai 1.3.3-1 +- update to 1.3.3 + +* Wed Mar 10 2004 Nalin Dahyabhai 1.3.2-1 +- update to 1.3.2 + +* Mon Mar 8 2004 Nalin Dahyabhai 1.3.1-12 +- rebuild + +* Tue Mar 02 2004 Elliot Lee 1.3.1-11.1 +- rebuilt + +* Fri Feb 13 2004 Elliot Lee 1.3.1-11 +- rebuilt + +* Mon Feb 9 2004 Nalin Dahyabhai 1.3.1-10 +- catch krb4 send_to_kdc cases in kdc preference patch + +* Mon Feb 2 2004 Nalin Dahyabhai 1.3.1-9 +- remove patch to set TERM in klogind which, combined with the upstream fix in + 1.3.1, actually produces the bug now (rhbz#114762) + +* Mon Jan 19 2004 Nalin Dahyabhai 1.3.1-8 +- when iterating over lists of interfaces which are "up" from getifaddrs(), + skip over those which have no address (rhbz#113347) + +* Mon Jan 12 2004 Nalin Dahyabhai +- prefer the kdc which last replied to a request when sending requests to kdcs + +* Mon Nov 24 2003 Nalin Dahyabhai 1.3.1-7 +- fix combination of --with-netlib and --enable-dns (rhbz#82176) + +* Tue Nov 18 2003 Nalin Dahyabhai +- remove libdefault ticket_lifetime option from the default krb5.conf, it is + ignored by libkrb5 + +* Thu Sep 25 2003 Nalin Dahyabhai 1.3.1-6 +- fix bug in patch to make rlogind start login with a clean environment a la + netkit rlogin, spotted and fixed by Scott McClung + +* Tue Sep 23 2003 Nalin Dahyabhai 1.3.1-5 +- include profile.d scriptlets in krb5-devel so that krb5-config will be in + the path if krb5-workstation isn't installed, reported by Kir Kolyshkin + +* Mon Sep 8 2003 Nalin Dahyabhai +- add more etypes (arcfour) to the default enctype list in kdc.conf +- don't apply previous patch, refused upstream + +* Fri Sep 5 2003 Nalin Dahyabhai 1.3.1-4 +- fix 32/64-bit bug storing and retrieving the issue_date in v4 credentials + +* Wed Sep 3 2003 Dan Walsh 1.3.1-3 +- Don't check for write access on /etc/krb5.conf if SELinux + +* Tue Aug 26 2003 Nalin Dahyabhai 1.3.1-2 +- fixup some int/pointer varargs wackiness + +* Tue Aug 5 2003 Nalin Dahyabhai 1.3.1-1 +- rebuild + +* Mon Aug 4 2003 Nalin Dahyabhai 1.3.1-0 +- update to 1.3.1 + +* Thu Jul 24 2003 Nalin Dahyabhai 1.3-2 +- pull fix for non-compliant encoding of salt field in etype-info2 preauth + data from 1.3.1 beta 1, until 1.3.1 is released. + +* Mon Jul 21 2003 Nalin Dahyabhai 1.3-1 +- update to 1.3 + +* Mon Jul 7 2003 Nalin Dahyabhai 1.2.8-4 +- correctly use stdargs + +* Wed Jun 18 2003 Nalin Dahyabhai 1.3-0.beta.4 +- test update to 1.3 beta 4 +- ditch statglue build option +- krb5-devel requires e2fsprogs-devel, which now provides libss and libcom_err + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Wed May 21 2003 Jeremy Katz 1.2.8-2 +- gcc 3.3 doesn't implement varargs.h, include stdarg.h instead + +* Wed Apr 9 2003 Nalin Dahyabhai 1.2.8-1 +- update to 1.2.8 + +* Mon Mar 31 2003 Nalin Dahyabhai 1.2.7-14 +- fix double-free of enc_part2 in krb524d + +* Fri Mar 21 2003 Nalin Dahyabhai 1.2.7-13 +- update to latest patch kit for MITKRB5-SA-2003-004 + +* Wed Mar 19 2003 Nalin Dahyabhai 1.2.7-12 +- add patch included in MITKRB5-SA-2003-003 (CAN-2003-0028) + +* Mon Mar 17 2003 Nalin Dahyabhai 1.2.7-11 +- add patches from patchkit from MITKRB5-SA-2003-004 (CAN-2003-0138 and + CAN-2003-0139) + +* Thu Mar 6 2003 Nalin Dahyabhai 1.2.7-10 +- rebuild + +* Thu Mar 6 2003 Nalin Dahyabhai 1.2.7-9 +- fix buffer underrun in unparsing certain principals (CAN-2003-0082) + +* Tue Feb 4 2003 Nalin Dahyabhai 1.2.7-8 +- add patch to document the reject-bad-transited option in kdc.conf + +* Mon Feb 3 2003 Nalin Dahyabhai +- add patch to fix server-side crashes when principals have no + components (CAN-2003-0072) + +* Thu Jan 23 2003 Nalin Dahyabhai 1.2.7-7 +- add patch from Mark Cox for exploitable bugs in ftp client + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Wed Jan 15 2003 Nalin Dahyabhai 1.2.7-5 +- use PICFLAGS when building code from the ktany patch + +* Thu Jan 9 2003 Bill Nottingham 1.2.7-4 +- debloat + +* Tue Jan 7 2003 Jeremy Katz 1.2.7-3 +- include .so.* symlinks as well as .so.*.* + +* Mon Dec 9 2002 Jakub Jelinek 1.2.7-2 +- always #include to access errno, never do it directly +- enable LFS on a bunch of other 32-bit arches + +* Wed Dec 4 2002 Nalin Dahyabhai +- increase the maximum name length allowed by kuserok() to the higher value + used in development versions + +* Mon Dec 2 2002 Nalin Dahyabhai +- install src/krb524/README as README.krb524 in the -servers package, + includes information about converting for AFS principals + +* Fri Nov 15 2002 Nalin Dahyabhai 1.2.7-1 +- update to 1.2.7 +- disable use of tcl + +* Mon Nov 11 2002 Nalin Dahyabhai +- update to 1.2.7-beta2 (internal only, not for release), dropping dnsparse + and kadmind4 fixes + +* Wed Oct 23 2002 Nalin Dahyabhai 1.2.6-5 +- add patch for buffer overflow in kadmind4 (not used by default) + +* Fri Oct 11 2002 Nalin Dahyabhai 1.2.6-4 +- drop a hunk from the dnsparse patch which is actually redundant (thanks to + Tom Yu) + +* Wed Oct 9 2002 Nalin Dahyabhai 1.2.6-3 +- patch to handle truncated dns responses + +* Mon Oct 7 2002 Nalin Dahyabhai 1.2.6-2 +- remove hashless key types from the default kdc.conf, they're not supposed to + be there, noted by Sam Hartman on krbdev + +* Fri Sep 27 2002 Nalin Dahyabhai 1.2.6-1 +- update to 1.2.6 + +* Fri Sep 13 2002 Nalin Dahyabhai 1.2.5-7 +- use %%{_lib} for the sake of multilib systems + +* Fri Aug 2 2002 Nalin Dahyabhai 1.2.5-6 +- add patch from Tom Yu for exploitable bugs in rpc code used in kadmind + +* Tue Jul 23 2002 Nalin Dahyabhai 1.2.5-5 +- fix bug in krb5.csh which would cause the path check to always succeed + +* Fri Jul 19 2002 Jakub Jelinek 1.2.5-4 +- build even libdb.a with -fPIC and $RPM_OPT_FLAGS. + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Sun May 26 2002 Tim Powers +- automated rebuild + +* Wed May 1 2002 Nalin Dahyabhai 1.2.5-1 +- update to 1.2.5 +- disable statglue + +* Fri Mar 1 2002 Nalin Dahyabhai 1.2.4-1 +- update to 1.2.4 + +* Wed Feb 20 2002 Nalin Dahyabhai 1.2.3-5 +- rebuild in new environment +- reenable statglue + +* Sat Jan 26 2002 Florian La Roche +- prereq chkconfig for the server subpackage + +* Wed Jan 16 2002 Nalin Dahyabhai 1.2.3-3 +- build without -g3, which gives us large static libraries in -devel + +* Tue Jan 15 2002 Nalin Dahyabhai 1.2.3-2 +- reintroduce ld.so.conf munging in the -libs %%post + +* Thu Jan 10 2002 Nalin Dahyabhai 1.2.3-1 +- rename the krb5 package back to krb5-libs; the previous rename caused + something of an uproar +- update to 1.2.3, which includes the FTP and telnetd fixes +- configure without --enable-dns-for-kdc --enable-dns-for-realm, which now set + the default behavior instead of enabling the feature (the feature is enabled + by --enable-dns, which we still use) +- reenable optimizations on Alpha +- support more encryption types in the default kdc.conf (heads-up from post + to comp.protocols.kerberos by Jason Heiss) + +* Fri Aug 3 2001 Nalin Dahyabhai 1.2.2-14 +- rename the krb5-libs package to krb5 (naming a subpackage -libs when there + is no main package is silly) +- move defaults for PAM to the appdefaults section of krb5.conf -- this is + the area where the krb5_appdefault_* functions look for settings) +- disable statglue (warning: breaks binary compatibility with previous + packages, but has to be broken at some point to work correctly with + unpatched versions built with newer versions of glibc) + +* Fri Aug 3 2001 Nalin Dahyabhai 1.2.2-13 +- bump release number and rebuild + +* Wed Aug 1 2001 Nalin Dahyabhai +- add patch to fix telnetd vulnerability + +* Fri Jul 20 2001 Nalin Dahyabhai +- tweak statglue.c to fix stat/stat64 aliasing problems +- be cleaner in use of gcc to build shlibs + +* Wed Jul 11 2001 Nalin Dahyabhai +- use gcc to build shared libraries + +* Wed Jun 27 2001 Nalin Dahyabhai +- add patch to support "ANY" keytab type (i.e., + "default_keytab_name = ANY:FILE:/etc/krb5.keytab,SRVTAB:/etc/srvtab" + patch from Gerald Britton, rhbz#42551) +- build with -D_FILE_OFFSET_BITS=64 to get large file I/O in ftpd (rhbz#30697) +- patch ftpd to use long long and %%lld format specifiers to support the SIZE + command on large files (also rhbz#30697) +- don't use LOG_AUTH as an option value when calling openlog() in ksu (rhbz#45965) +- implement reload in krb5kdc and kadmind init scripts (rhbz#41911) +- lose the krb5server init script (not using it any more) + +* Sun Jun 24 2001 Elliot Lee +- Bump release + rebuild. + +* Tue May 29 2001 Nalin Dahyabhai +- pass some structures by address instead of on the stack in krb5kdc + +* Tue May 22 2001 Nalin Dahyabhai +- rebuild in new environment + +* Thu Apr 26 2001 Nalin Dahyabhai +- add patch from Tom Yu to fix ftpd overflows (rhbz#37731) + +* Wed Apr 18 2001 Than Ngo +- disable optimizations on the alpha again + +* Fri Mar 30 2001 Nalin Dahyabhai +- add in glue code to make sure that libkrb5 continues to provide a + weak copy of stat() + +* Thu Mar 15 2001 Nalin Dahyabhai +- build alpha with -O0 for now + +* Thu Mar 8 2001 Nalin Dahyabhai +- fix the kpropd init script + +* Mon Mar 5 2001 Nalin Dahyabhai +- update to 1.2.2, which fixes some bugs relating to empty ETYPE-INFO +- re-enable optimization on Alpha + +* Thu Feb 8 2001 Nalin Dahyabhai +- build alpha with -O0 for now +- own %%{_var}/kerberos + +* Tue Feb 6 2001 Nalin Dahyabhai +- own the directories which are created for each package (rhbz#26342) + +* Tue Jan 23 2001 Nalin Dahyabhai +- gettextize init scripts + +* Fri Jan 19 2001 Nalin Dahyabhai +- add some comments to the ksu patches for the curious +- re-enable optimization on alphas + +* Mon Jan 15 2001 Nalin Dahyabhai +- fix krb5-send-pr (rhbz#18932) and move it from -server to -workstation +- buildprereq libtermcap-devel +- temporariliy disable optimization on alphas +- gettextize init scripts + +* Tue Dec 5 2000 Nalin Dahyabhai +- force -fPIC + +* Fri Dec 1 2000 Nalin Dahyabhai +- rebuild in new environment + +* Tue Oct 31 2000 Nalin Dahyabhai +- add bison as a BuildPrereq (rhbz#20091) + +* Mon Oct 30 2000 Nalin Dahyabhai +- change /usr/dict/words to /usr/share/dict/words in default kdc.conf (rhbz#20000) + +* Thu Oct 5 2000 Nalin Dahyabhai +- apply kpasswd bug fixes from David Wragg + +* Wed Oct 4 2000 Nalin Dahyabhai +- make krb5-libs obsolete the old krb5-configs package (rhbz#18351) +- don't quit from the kpropd init script if there's no principal database so + that you can propagate the first time without running kpropd manually +- don't complain if /etc/ld.so.conf doesn't exist in the -libs %%post + +* Tue Sep 12 2000 Nalin Dahyabhai +- fix credential forwarding problem in klogind (goof in KRB5CCNAME handling) + (rhbz#11588) +- fix heap corruption bug in FTP client (rhbz#14301) + +* Wed Aug 16 2000 Nalin Dahyabhai +- fix summaries and descriptions +- switched the default transfer protocol from PORT to PASV as proposed on + bugzilla (rhbz#16134), and to match the regular ftp package's behavior + +* Wed Jul 19 2000 Jeff Johnson +- rebuild to compress man pages. + +* Sat Jul 15 2000 Bill Nottingham +- move initscript back + +* Fri Jul 14 2000 Nalin Dahyabhai +- disable servers by default to keep linuxconf from thinking they need to be + started when they don't + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Mon Jul 10 2000 Nalin Dahyabhai +- change cleanup code in post to not tickle chkconfig +- add grep as a Prereq: for -libs + +* Thu Jul 6 2000 Nalin Dahyabhai +- move condrestarts to postun +- make xinetd configs noreplace +- add descriptions to xinetd configs +- add /etc/init.d as a prereq for the -server package +- patch to properly truncate $TERM in krlogind + +* Fri Jun 30 2000 Nalin Dahyabhai +- update to 1.2.1 +- back out Tom Yu's patch, which is a big chunk of the 1.2 -> 1.2.1 update +- start using the official source tarball instead of its contents + +* Thu Jun 29 2000 Nalin Dahyabhai +- Tom Yu's patch to fix compatibility between 1.2 kadmin and 1.1.1 kadmind +- pull out 6.2 options in the spec file (sonames changing in 1.2 means it's not + compatible with other stuff in 6.2, so no need) + +* Wed Jun 28 2000 Nalin Dahyabhai +- tweak graceful start/stop logic in post and preun + +* Mon Jun 26 2000 Nalin Dahyabhai +- update to the 1.2 release +- ditch a lot of our patches which went upstream +- enable use of DNS to look up things at build-time +- disable use of DNS to look up things at run-time in default krb5.conf +- change ownership of the convert-config-files script to root.root +- compress PS docs +- fix some typos in the kinit man page +- run condrestart in server post, and shut down in preun + +* Mon Jun 19 2000 Nalin Dahyabhai +- only remove old krb5server init script links if the init script is there + +* Sat Jun 17 2000 Nalin Dahyabhai +- disable kshell and eklogin by default + +* Thu Jun 15 2000 Nalin Dahyabhai +- patch mkdir/rmdir problem in ftpcmd.y +- add condrestart option to init script +- split the server init script into three pieces and add one for kpropd + +* Wed Jun 14 2000 Nalin Dahyabhai +- make sure workstation servers are all disabled by default +- clean up krb5server init script + +* Fri Jun 9 2000 Nalin Dahyabhai +- apply second set of buffer overflow fixes from Tom Yu +- fix from Dirk Husung for a bug in buffer cleanups in the test suite +- work around possibly broken rev binary in running test suite +- move default realm configs from /var/kerberos to %%{_var}/kerberos + +* Tue Jun 6 2000 Nalin Dahyabhai +- make ksu and v4rcp owned by root + +* Sat Jun 3 2000 Nalin Dahyabhai +- use %%{_infodir} to better comply with FHS +- move .so files to -devel subpackage +- tweak xinetd config files (bugs rhbz#11833, rhbz#11835, rhbz#11836, rhbz#11840) +- fix package descriptions again + +* Wed May 24 2000 Nalin Dahyabhai +- change a LINE_MAX to 1024, fix from Ken Raeburn +- add fix for login vulnerability in case anyone rebuilds without krb4 compat +- add tweaks for byte-swapping macros in krb.h, also from Ken +- add xinetd config files +- make rsh and rlogin quieter +- build with debug to fix credential forwarding +- add rsh as a build-time req because the configure scripts look for it to + determine paths + +* Wed May 17 2000 Nalin Dahyabhai +- fix config_subpackage logic + +* Tue May 16 2000 Nalin Dahyabhai +- remove setuid bit on v4rcp and ksu in case the checks previously added + don't close all of the problems in ksu +- apply patches from Jeffrey Schiller to fix overruns Chris Evans found +- reintroduce configs subpackage for use in the errata +- add PreReq: sh-utils + +* Mon May 15 2000 Nalin Dahyabhai +- fix double-free in the kdc (patch merged into MIT tree) +- include convert-config-files script as a documentation file + +* Wed May 03 2000 Nalin Dahyabhai +- patch ksu man page because the -C option never works +- add access() checks and disable debug mode in ksu +- modify default ksu build arguments to specify more directories in CMD_PATH + and to use getusershell() + +* Wed May 03 2000 Bill Nottingham +- fix configure stuff for ia64 + +* Mon Apr 10 2000 Nalin Dahyabhai +- add LDCOMBINE=-lc to configure invocation to use libc versioning (rhbz#10653) +- change Requires: for/in subpackages to include %%{version} + +* Wed Apr 05 2000 Nalin Dahyabhai +- add man pages for kerberos(1), kvno(1), .k5login(5) +- add kvno to -workstation + +* Mon Apr 03 2000 Nalin Dahyabhai +- Merge krb5-configs back into krb5-libs. The krb5.conf file is marked as + a %%config file anyway. +- Make krb5.conf a noreplace config file. + +* Thu Mar 30 2000 Nalin Dahyabhai +- Make klogind pass a clean environment to children, like NetKit's rlogind does. + +* Wed Mar 08 2000 Nalin Dahyabhai +- Don't enable the server by default. +- Compress info pages. +- Add defaults for the PAM module to krb5.conf + +* Mon Mar 06 2000 Nalin Dahyabhai +- Correct copyright: it's exportable now, provided the proper paperwork is + filed with the government. + +* Fri Mar 03 2000 Nalin Dahyabhai +- apply Mike Friedman's patch to fix format string problems +- don't strip off argv[0] when invoking regular rsh/rlogin + +* Thu Mar 02 2000 Nalin Dahyabhai +- run kadmin.local correctly at startup + +* Mon Feb 28 2000 Nalin Dahyabhai +- pass absolute path to kadm5.keytab if/when extracting keys at startup + +* Sat Feb 19 2000 Nalin Dahyabhai +- fix info page insertions + +* Wed Feb 9 2000 Nalin Dahyabhai +- tweak server init script to automatically extract kadm5 keys if + /var/kerberos/krb5kdc/kadm5.keytab doesn't exist yet +- adjust package descriptions + +* Thu Feb 3 2000 Nalin Dahyabhai +- fix for potentially gzipped man pages + +* Fri Jan 21 2000 Nalin Dahyabhai +- fix comments in krb5-configs + +* Fri Jan 7 2000 Nalin Dahyabhai +- move /usr/kerberos/bin to end of PATH + +* Tue Dec 28 1999 Nalin Dahyabhai +- install kadmin header files + +* Tue Dec 21 1999 Nalin Dahyabhai +- patch around TIOCGTLC defined on alpha and remove warnings from libpty.h +- add installation of info docs +- remove krb4 compat patch because it doesn't fix workstation-side servers + +* Mon Dec 20 1999 Nalin Dahyabhai +- remove hesiod dependency at build-time + +* Sun Dec 19 1999 Nalin Dahyabhai +- rebuild on 1.1.1 + +* Thu Oct 7 1999 Nalin Dahyabhai +- clean up init script for server, verify that it works [jlkatz] +- clean up rotation script so that rc likes it better +- add clean stanza + +* Mon Oct 4 1999 Nalin Dahyabhai +- backed out ncurses and makeshlib patches +- update for krb5-1.1 +- add KDC rotation to rc.boot, based on ideas from Michael's C version + +* Mon Sep 27 1999 Nalin Dahyabhai +- added -lncurses to telnet and telnetd makefiles + +* Mon Jul 5 1999 Nalin Dahyabhai +- added krb5.csh and krb5.sh to /etc/profile.d + +* Tue Jun 22 1999 Nalin Dahyabhai +- broke out configuration files + +* Mon Jun 14 1999 Nalin Dahyabhai +- fixed server package so that it works now + +* Sat May 15 1999 Nalin Dahyabhai +- started changelog (previous package from zedz.net) +- updated existing 1.0.5 RPM from Eos Linux to krb5 1.0.6 +- added --force to makeinfo commands to skip errors during build