crypto/external/bsd - Sync with NetBSD-8

crypto/external/Makefile

@@ -1,10 +1,8 @@
-#	$NetBSD: Makefile,v 1.3 2013/02/12 20:55:37 christos Exp $
+#	$NetBSD: Makefile,v 1.4 2017/05/21 15:28:37 riastradh Exp $
 
 .include <bsd.own.mk>
 
-.if (${MKCRYPTO} != "no")
 #MINIX: Not yet imported: cpl
 SUBDIR+= bsd
-.endif
 
 .include <bsd.subdir.mk>

crypto/external/bsd/heimdal/Makefile.rules.inc

@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.rules.inc,v 1.7 2012/09/05 19:31:04 christos Exp $
+# $NetBSD: Makefile.rules.inc,v 1.8 2017/01/28 21:31:43 christos Exp $
 
 SRCS+= ${HEIMSRCS:N*.et:N*.in:N*.asn1}
 
@@ -72,7 +72,7 @@ NORMALIZE_SRC=-e "s@${NETBSDSRCDIR}@/usr/src@g"
 
 .for x2c in ${ASN1_FILES.${src}}
 ${x2c:.x=.c}: ${x2c}
-	@${TOOL_SED} ${NORMALIZE_SRC} < ${x2c} > ${x2c}.r
+	@${TOOL_SED} ${NORMALIZE_SRC} < ${.ALLSRC} > ${x2c}.r
 	@cmp -s ${x2c}.r ${x2c:.x=.c} 2> /dev/null || cp ${x2c}.r ${x2c:.x=.c}
 	@rm -f ${x2c}.r
 .endfor

crypto/external/bsd/heimdal/bin/Makefile.inc

@@ -1,11 +1,13 @@
-# $NetBSD: Makefile.inc,v 1.2 2011/05/25 19:21:16 he Exp $
+# $NetBSD: Makefile.inc,v 1.3 2017/01/28 21:31:43 christos Exp $
 
 BINDIR=/usr/bin
 
 LDADD+= -lkrb5 -lhx509 -lasn1 -lroken -lcom_err -lwind
 LDADD+= -lheimbase ${LIBVERS}
 LDADD+= -lcrypto -lcrypt
+LDADD+= -lsqlite3
 
 DPADD+= ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBWIND}
 DPADD+= ${LIBHEIMBASE} ${LIBVERS}
 DPADD+= ${LIBCRYPTO} ${LIBCRYPT}
+DPADD+= ${LIBSQLITE3}

crypto/external/bsd/heimdal/bin/kcc/Makefile

@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.2 2011/05/25 19:21:16 he Exp $
+# $NetBSD: Makefile,v 1.3 2017/01/28 21:31:43 christos Exp $
 
 .include <bsd.own.mk>
 .include <${.CURDIR}/../../Makefile.inc>
@@ -12,14 +12,15 @@ LINKS+= ${BINDIR}/kcc ${BINDIR}/klist
 
 MAN= klist.1
 
-HEIMSRCS= kcc-commands.in
+HEIMSRCS= heimtools-commands.in
 
 SRCS=	copy_cred_cache.c	\
-	kcc.c			\
+	heimtools.c		\
 	klist.c			\
 	kswitch.c
 
 CPPFLAGS+= -I${DESTDIR}/usr/include/krb5
+CPPFLAGS+= -I${HEIMDIST}/kuser
 
 LDADD+= -lkafs -lsl
 LDADD+= -ledit -lterminfo

crypto/external/bsd/heimdal/dist/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 1995 - 2011 Kungliga Tekniska Högskolan
+Copyright (c) 1995 - 2014 Kungliga Tekniska Högskolan
 (Royal Institute of Technology, Stockholm, Sweden). 
 All rights reserved. 
 

crypto/external/bsd/heimdal/dist/Makefile.am

@@ -6,7 +6,7 @@ if KCM
 kcm_dir = kcm
 endif
 
-SUBDIRS=  include base lib kuser kdc admin kadmin kpasswd 
+SUBDIRS=  include lib kuser kdc admin kadmin kpasswd 
 SUBDIRS+= $(kcm_dir) appl tools tests packages etc po
 
 if HEIMDAL_DOCUMENTATION
@@ -38,6 +38,7 @@ EXTRA_DIST = \
 	autogen.sh \
 	krb5.conf \
 	cf/make-proto.pl \
+	cf/roken-h-process.pl \
 	cf/install-catman.sh \
 	cf/ChangeLog \
 	cf/c-function.m4 \
@@ -52,6 +53,13 @@ EXTRA_DIST = \
 	cf/krb-version.m4 \
 	cf/roken.m4 \
 	cf/valgrind-suppressions \
+	cf/maybe-valgrind.sh \
+	cf/symbol-version.py \
+	cf/w32-check-exported-symbols.pl \
+	cf/w32-def-from-dll.pl \
+	cf/w32-detect-vc-version.pl \
+	cf/w32-hh-toc-from-info.pl \
+	cf/w32-list-externs-from-objs.pl \
 	cf/vararray.m4
 
 print-distdir:

crypto/external/bsd/heimdal/dist/NEWS

@@ -1,3 +1,134 @@
+Release Notes - Heimdal - Version Heimdal 7.1
+
+ Security
+
+ - kx509 realm-chopping security bug
+ - non-authorization of alias additions/removals in kadmind
+   (CVE-2016-2400)
+
+ Feature
+
+ - iprop has been revamped to fix a number of race conditions that could
+   lead to inconsistent replication
+ - Hierarchical capath support
+ - AES Encryption with HMAC-SHA2 for Kerberos 5
+   draft-ietf-kitten-aes-cts-hmac-sha2-11
+ - hcrypto is now thread safe on all platforms
+ - libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for
+   Solaris), and OpenSSL.  OpenSSL is now a first-class libhcrypto backend.
+   OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by
+   backend
+ - HDB now supports LMDB
+ - Thread support on Windows
+ - RFC 6113  Generalized Framework for Kerberos Pre-Authentication (FAST)
+ - New GSS APIs:
+   . gss_localname
+ - Allow setting what encryption types a principal should have with
+   [kadmin] default_key_rules, see krb5.conf manpage for more info
+ - Unify libhcrypto with LTC (libtomcrypto)
+ - asn1_compile 64-bit INTEGER functionality
+ - HDB key history support including --keepold kadmin password option
+ - Improved cross-realm key rollover safety
+ - New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces
+ - Improved MIT compatibility
+   . kadm5 API
+   . Migration from MIT KDB via "mitdb" HDB backend
+   . Capable of writing the HDB in MIT dump format
+ - Improved Active Directory interoperability
+   . Enctype selection issues for PAC and other authz-data signatures
+   . Cross realm key rollover (kvno 0)
+ - New [kdc] enctype negotiation configuration:
+   . tgt-use-strongest-session-key
+   . svc-use-strongest-session-key
+   . preauth-use-strongest-session-key
+   . use-strongest-server-key
+ - The KDC process now uses a multi-process model improving
+   resiliency and performance
+ - Allow batch-mode kinit with password file
+ - SIGINFO support added to kinit cmd
+ - New kx509 configuration options:
+   . kx509_ca
+   . kca_service
+   . kx509_include_pkinit_san
+   . kx509_template
+ - Improved Heimdal library/plugin version safety
+ - Name canonicalization
+   . DNS resolver searchlist
+   . Improved referral support
+   . Support host:port host-based services
+ - Pluggable libheimbase interface for DBs
+ - Improve IPv6 Support
+ - LDAP
+   . Bind DN and password
+   . Start TLS
+ - klist --json
+ - DIR credential cache type
+ - Updated upstream SQLite and libedit
+ - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh,
+   telnet, xnlock
+ - Completely remove RAND_egd support
+ - Moved kadmin and ktutil to /usr/bin
+ - Stricter fcache checks (see fcache_strict_checking krb5.conf setting)
+    . use O_NOFOLLOW
+    . don't follow symlinks
+    . require cache files to be owned by the user
+    . require sensible permissions (not group/other readable)
+ - Implemented gss_store_cred()
+ - Many more
+
+ Bug fixes
+ - iprop has been revamped to fix a number of race conditions that could
+   lead to data loss
+ - Include non-loopback addresses assigned to loopback interfaces
+   when requesting tickets with addresses
+ - KDC 1DES session key selection (for AFS rxkad-k5 compatibility)
+ - Keytab file descriptor and lock leak
+ - Credential cache corruption bugs
+   (NOTE: The FILE ccache is still not entirely safe due to the
+   fundamentally unsafe design of POSIX file locking)
+ - gss_pseudo_random() interop bug
+ - Plugins are now preferentially loaded from the run-time install tree
+ - Reauthentication after password change in init_creds_password
+ - Memory leak in the client kadmin library
+ - TGS client requests renewable/forwardable/proxiable when possible
+ - Locking issues in DB1 and DB3 HDB backends
+ - Master HDB can remain locked while waiting for network I/O
+ - Renewal/refresh logic when kinit is provided with a command
+ - KDC handling of enterprise principals
+ - Use correct bit for anon-pkinit
+ - Many more
+
+ Acknowledgements
+
+ This release of Heimdal includes contributions from:
+
+    Abhinav Upadhyay        Heath Kehoe             Nico Williams
+    Andreas Schneider       Henry Jacques           Patrik Lundin
+    Andrew Bartlett         Howard Chu              Philip Boulain
+    Andrew Tridgell         Igor Sobrado            Ragnar Sundblad
+    Antoine Jacoutot        Ingo Schwarze           Remi Ferrand
+    Arran Cudbard-Bell      Jakub Čajka             Rod Widdowson
+    Arvid Requate           James Le Cuirot         Rok Papež
+    Asanka Herath           James Lee               Roland C. Dowdeswell
+    Ben Kaduk               Jeffrey Altman          Ross L Richardson
+    Benjamin Kaduk          Jeffrey Clark           Russ Allbery
+    Bernard Spil            Jeffrey Hutzelman       Samuel Cabrero
+    Brian May               Jelmer Vernooij         Samuel Thibault
+    Chas Williams           Ken Dreyer              Santosh Kumar Pradhan
+    Chaskiel Grundman       Kiran S J               Sean Davis
+    Dana Koch               Kumar Thangavelu        Sergio Gelato
+    Daniel Schepler         Landon Fuller           Simon Wilkinson
+    David Mulder            Linus Nordberg          Stef Walter
+    Douglas Bagnall         Love Hörnquist Åstrand  Stefan Metzmacher
+    Ed Maste                Luke Howard             Steffen Jaeckel
+    Eray Aslan              Magnus Ahltorp          Timothy Pearson
+    Florian Best            Marc Balmer             Tollef Fog Heen
+    Fredrik Pettai          Marcin Cieślak          Tony Acero
+    Greg Hudson             Marco Molteni           Uri Simchoni
+    Gustavo Zacarias        Matthieu Hautreux       Viktor Dukhovni
+    Günther Deschner        Michael Meffie          Volker Lendecke
+    Harald Barth            Moritz Lenz
+
 Release Notes - Heimdal - Version Heimdal 1.5.3
 
  Bug fixes
@@ -102,7 +233,7 @@ Release Notes - Heimdal - Version Heimdal 1.3
 
  - Support for settin friendly name on credential caches
  - Move to using doxygen to generate documentation.
- - Sprinkling __attribute__((depricated)) for old function to be removed
+ - Sprinkling __attribute__((__deprecated__)) for old function to be removed
  - Support to export LAST-REQUST information in AS-REQ
  - Support for client deferrals in in AS-REQ
  - Add seek support for krb5_storage.

crypto/external/bsd/heimdal/dist/NTMakefile

@@ -29,12 +29,17 @@
 # POSSIBILITY OF SUCH DAMAGE.
 #
 
-!if exist(thirdparty/NTMakefile)
+!if exist("thirdparty\NTMakefile")
 thirdparty=thirdparty
 !endif
 
-SUBDIRS = include lib\roken base lib kuser kdc admin kadmin kpasswd appl doc \
+!ifdef APPVEYOR
+SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc \
+	tools tests packages etc
+!else
+SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc \
 	tools tests packages etc $(thirdparty) packages\windows\installer
+!endif
 
 !include windows/NTMakefile.w32
 

crypto/external/bsd/heimdal/dist/README.fast

@@ -0,0 +1,17 @@
+
+-- in order of preference
+
+- client: support KRB5_PADATA_ENCRYPTED_CHALLENGE in lib/krb5/init_creds_pw.c
+- client: don't support ENC-TS in FAST
+
+- client: plugin support for fast plugins
+
+- kdc: plugin support for fast plugins
+	partly done with "struct kdc_patypes"
+
+- kcm: support FAST armor ticket
+-- using PK-INIT anonymous
+-- using host key
+
+- client: tgs-req fast support
+- kdc: tgs-req fast support

crypto/external/bsd/heimdal/dist/admin/Makefile.am

@@ -2,11 +2,11 @@
 
 include $(top_srcdir)/Makefile.am.common
 
-AM_CPPFLAGS += $(INCLUDE_readline) $(INCLUDE_hcrypto)
+AM_CPPFLAGS += $(INCLUDE_readline)
 
-man_MANS = ktutil.8
+man_MANS = ktutil.1
 
-sbin_PROGRAMS = ktutil
+bin_PROGRAMS = ktutil
 
 dist_ktutil_SOURCES =				\
 	add.c					\

crypto/external/bsd/heimdal/dist/admin/add.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: add.c,v 1.1.1.2 2014/04/24 12:45:26 pettai Exp $	*/
+/*	$NetBSD: add.c,v 1.2 2017/01/28 21:31:44 christos Exp $	*/
 
 /*
  * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
@@ -35,7 +35,7 @@
 
 #include "ktutil_locl.h"
 
-__RCSID("NetBSD");
+__RCSID("$NetBSD: add.c,v 1.2 2017/01/28 21:31:44 christos Exp $");
 
 static char *
 readstring(const char *prompt, char *buf, size_t len)

crypto/external/bsd/heimdal/dist/admin/change.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: change.c,v 1.1.1.2 2014/04/24 12:45:26 pettai Exp $	*/
+/*	$NetBSD: change.c,v 1.2 2017/01/28 21:31:44 christos Exp $	*/
 
 /*
  * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
@@ -35,7 +35,7 @@
 
 #include "ktutil_locl.h"
 
-__RCSID("NetBSD");
+__RCSID("$NetBSD: change.c,v 1.2 2017/01/28 21:31:44 christos Exp $");
 
 static krb5_error_code
 change_entry (krb5_keytab keytab,

crypto/external/bsd/heimdal/dist/admin/copy.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: copy.c,v 1.1.1.2 2014/04/24 12:45:26 pettai Exp $	*/
+/*	$NetBSD: copy.c,v 1.2 2017/01/28 21:31:44 christos Exp $	*/
 
 /*
  * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
@@ -35,7 +35,7 @@
 
 #include "ktutil_locl.h"
 
-__RCSID("NetBSD");
+__RCSID("$NetBSD: copy.c,v 1.2 2017/01/28 21:31:44 christos Exp $");
 
 
 static krb5_boolean

crypto/external/bsd/heimdal/dist/admin/destroy.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: destroy.c,v 1.1.1.1 2011/04/13 18:14:32 elric Exp $	*/
+/*	$NetBSD: destroy.c,v 1.2 2017/01/28 21:31:44 christos Exp $	*/
 
 /*
  * Copyright (c) 2009 Kungliga Tekniska Högskolan

crypto/external/bsd/heimdal/dist/admin/get.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: get.c,v 1.1.1.2 2014/04/24 12:45:26 pettai Exp $	*/
+/*	$NetBSD: get.c,v 1.2 2017/01/28 21:31:44 christos Exp $	*/
 
 /*
  * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
@@ -35,7 +35,7 @@
 
 #include "ktutil_locl.h"
 
-__RCSID("NetBSD");
+__RCSID("$NetBSD: get.c,v 1.2 2017/01/28 21:31:44 christos Exp $");
 
 static void*
 open_kadmin_connection(char *principal,

crypto/external/bsd/heimdal/dist/admin/ktutil-commands.in

@@ -206,7 +206,7 @@ command = {
 		short = "V"
 		type = "integer"
 		help = "key version to remove"
-		argument = "enctype"
+		argument = "kvno"
 		default = "0"
 	}
 	option = {

crypto/external/bsd/heimdal/dist/admin/ktutil.8 → crypto/external/bsd/heimdal/dist/admin/ktutil.1

@@ -1,4 +1,4 @@
-.\"	$NetBSD: ktutil.8,v 1.4 2014/04/25 00:26:16 pettai Exp $
+.\"	$NetBSD: ktutil.1,v 1.2 2017/01/28 21:31:44 christos Exp $
 .\"
 .\" Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden).
@@ -34,7 +34,7 @@
 .\" Id
 .\"
 .Dd April 14, 2005
-.Dt KTUTIL 8
+.Dt KTUTIL 1
 .Os
 .Sh NAME
 .Nm ktutil
@@ -123,4 +123,4 @@ that is at least
 (default one week) old.
 .El
 .Sh SEE ALSO
-.Xr kadmin 8
+.Xr kadmin 1